Abstract
Use of proxy servers to filter content is very critical in achieving both personal and enterprise security. A common practice to perform this task is by allowing a man-in-the-middle to intercept the traffic unconditionally and act as a proxy between the client and the server. While this method is good enough for unencrypted HTTP connections, it is not a good practice in encrypted HTTPS (SSL/TLS) connections. In this paper, we introduce an access-controlled limited proxying framework to allow HTTPS content filtering based on the Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. Limited proxying allows the client and the server to decide which content can be accessed by a proxy to avoid compromise of sensitive content. The proposed framework grants the user full control to grant or revoke specific proxy privileges which enhances the user’s privacy online. We also define and argue about the security properties of the framework as well as some practical considerations for its implementation.
Keywords
I. Faisal’s travel to the SECITC conference is supported by AUC’s Undergraduate Research Office grant UG#1810898.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In this paper’s scope, we are not interested in differentiating between SSL and TLS connections. Unless clearly stated or suffixed by a version number, we consider both terms as a method to communicate encrypted web traffic payload.
- 2.
- 3.
- 4.
- 5.
Although dating back to 2004, this is the most updated version of the RFC to our knowledge.
- 6.
We don’t describe how to verify an end entity certificate in this definition. Verifying an EEC is done in accordance with RFC 5280.
- 7.
- 8.
- 9.
References
Almomani, A., Gupta, B., Atawneh, S., Meulenberg, A., Almomani, E.: A survey of phishing email filtering techniques. IEEE Commun. Surv. Tutor. 15(4), 2070–2090 (2013)
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13. ACM, New York (2013)
Bhargavan, K., Boureanu, I., Delignat-Lavaud, A., Fouque, P., Onete, C.: A formal treatment of accountable proxying over TLS. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 799–816, May 2018. https://doi.org/10.1109/SP.2018.00021
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, p. 82. IEEE Computer Society, Washington, DC (2001). http://dl.acm.org/citation.cfm?id=872752.873511
Blanzieri, E., Bryl, A.: A survey of learning-based techniques of email spam filtering. Artif. Intell. Rev. 29(1), 63–92 (2008)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, WWW 2011, pp. 197–206. ACM, New York (2011). https://doi.org/10.1145/1963405.1963436
Chen, T.M., Wang, V.: Web filtering and censoring. Computer 43(3), 94–97 (2010). https://doi.org/10.1109/MC.2010.84
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor, May 2008. http://www.rfc-editor.org/rfc/rfc5280.txt
Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016(086), 1–118 (2016)
Coughlin, M., Keller, E., Wustrow, E.: Trusted click: overcoming security issues of NFV in the cloud. In: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, SDN-NFVSec 2017, pp. 31–36. ACM, New York (2017). https://doi.org/10.1145/3040992.3040994
Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1773–1788. ACM, New York (2017). https://doi.org/10.1145/3133956.3134063
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346, RFC Editor, April 2006. http://www.rfc-editor.org/rfc/rfc4346.txt
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt
Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, RFC Editor, January 1999. http://www.rfc-editor.org/rfc/rfc2246.txt
Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981). https://doi.org/10.1109/SFCS.1981.32
Dornseif, M.: Government mandated blocking of foreign web content. arXiv preprint arXiv:cs/0404005 (2004)
Duan, H., Yuan, X., Wang, C.: LightBox: SGX-assisted secure network functions at near-native speed. CoRR abs/1706.06261 (2017). http://arxiv.org/abs/1706.06261
Durumeric, Z., et al.: The security impact of https interception. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2017)
Farrell, S., Housley, R., Turner, S.: An internet attribute certificate profile for authorization. RFC 5755, RFC Editor, January 2010
Farrell, S., Housley, R.: An internet attribute certificate profile for authorization. RFC 3281, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3281.txt
Foster, I., Kesselman, C.: Computational Grids: The Future of High Performance Distributed Computing. Morgan Kaufmann, Los Altos (1998)
Foster, I., Kesselman, C.: The globus project: a status report. In: 1998 Proceedings of the Seventh Heterogeneous Computing Workshop (HCW 1998), pp. 4–18, March 1998. https://doi.org/10.1109/HCW.1998.666541
Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational grids. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, CCS 1998, pp. 83–92. ACM, New York (1998). https://doi.org/10.1145/288090.288111
Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, RFC Editor, August 2011. http://www.rfc-editor.org/rfc/rfc6101.txt
Goltzsche, D., et al.: Endbox: scalable middlebox functions using client-side trusted execution. In: Proceedings of the 48th International Conference on Dependable Systems and Networks, DSN, vol. 18 (2018)
Hammami, M., Chahir, Y., Chen, L.: WebGuard: web based adult content detection and filtering system. In: Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003), pp. 574–578, October 2003. https://doi.org/10.1109/WI.2003.1241271
Hammami, M., Chahir, Y., Chen, L.: WebGuard: a web filtering engine combining textual, structural, and visual content-based analysis. IEEE Trans. Knowl. Data Eng. 18(2), 272–284 (2006). https://doi.org/10.1109/TKDE.2006.34
Han, J., Kim, S., Ha, J., Han, D.: SGX-Box: enabling visibility on encrypted traffic using a secure middlebox module. In: Proceedings of the First Asia-Pacific Workshop on Networking, APNet 2017, pp. 99–105. ACM, New York (2017). https://doi.org/10.1145/3106989.3106994
Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: HASP@ ISCA, p. 11 (2013)
Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 427–444. ACM, New York (2011). https://doi.org/10.1145/2068816.2068856
Housley, R., Ford, W., Polk, T., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. RFC 3280, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3280.txt
Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: 2014 IEEE Symposium on Security and Privacy, pp. 83–97, May 2014. https://doi.org/10.1109/SP.2014.13
Abstract Syntax Notation One (ASN.1): Specification of basic notation. Standard, International Telecommunication Union, August 2015
Kuvaiskii, D., Chakrabarti, S., Vij, M.: Snort intrusion detection system with Intel software guard extension (Intel SGX). CoRR abs/1802.00508 (2018). http://arxiv.org/abs/1802.00508
Loreto, S., Mattsson, J., Skog, R., Spaak, H., Druta, D., Hafeez, M.: Explicit trusted proxy in HTTP/2.0. Internet-Draft draft-loreto-httpbis-trusted-proxy20-01, IETF Secretariat, February 2014. http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt
McGrew, D., Wing, D., Gladstone, P.: TLS proxy server extension. Internet-Draft draft-mcgrew-tls-proxy-server-01, IETF Secretariat, July 2012. http://www.ietf.org/internet-drafts/draft-mcgrew-tls-proxy-server-01.txt
McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: HASP@ ISCA, p. 10 (2013)
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Murdoch, S.J., Anderson, R.: Tools and technology of internet filtering. Access Denied: Pract. Policy Glob. Internet Filter. 1(1), 58 (2008)
Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 199–212. ACM, New York (2015). https://doi.org/10.1145/2785956.2787482
Novotny, J., Tuecke, S., Welch, V.: An online credential repository for the grid: MyProxy. In: Proceedings 10th IEEE International Symposium on High Performance Distributed Computing, pp. 104–111 (2001). https://doi.org/10.1109/HPDC.2001.945181
Poddar, R., Lan, C., Popa, R.A., Ratnasamy, S.: SafeBricks: shielding network functions in the cloud. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018), Renton, WA (2018)
Polpinij, J., Chotthanom, A., Sibunruang, C., Chamchong, R., Puangpronpitag, S.: Content-based text classifiers for pornographic web filtering. In: 2006 IEEE International Conference on Systems, Man and Cybernetics, vol. 2, pp. 1481–1485, October 2006. https://doi.org/10.1109/ICSMC.2006.384926
Polpinij, J., Sibunruang, C., Paungpronpitag, S., Chamchong, R., Chotthanom, A.: A web pornography patrol system by content-based analysis: in particular text and image. In: 2008 IEEE International Conference on Systems, Man and Cybernetics, pp. 500–505, October 2008. https://doi.org/10.1109/ICSMC.2008.4811326
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, RFC Editor, August 2018
Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 213–226. ACM, New York (2015). https://doi.org/10.1145/2785956.2787502
Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., Fetzer, C.: ShieldBox: secure middleboxes using shielded execution. In: Proceedings of the Symposium on SDN Research, SOSR 2018, pp. 2:1–2:14. ACM, New York (2018). https://doi.org/10.1145/3185467.3185469
Tuecke, S., Welch, V., Pearlman, D.E.L., Thompson, M.: Internet X.509 public key infrastructure (PKI) proxy certificate profile. RFC 3820, RFC Editor, June 2004. http://www.rfc-editor.org/rfc/rfc3820.txt
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix A Content Filtering Policy Language
Appendix A Content Filtering Policy Language
In the proposed framework, we have defined a policy language to be used with the proxy certificate profile. In this section, we list the structure of that language.
The policy field of the proxy certificate extension is encoded as a string in the field policy in Listing 1.1. This string is an encoding of the structure listed in Listing 1.2. This structure is defined in the Abstract Syntax Notation One (ASN.1) [34] which is a standard interface description language. The structure consists of the fields mentioned in Sect. 3.3.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Faisal, I., El-Kassas, S. (2019). Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile. In: Lanet, JL., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2018. Lecture Notes in Computer Science(), vol 11359. Springer, Cham. https://doi.org/10.1007/978-3-030-12942-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-12942-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12941-5
Online ISBN: 978-3-030-12942-2
eBook Packages: Computer ScienceComputer Science (R0)