Skip to main content
SpringerLink
Log in

When TLS Meets Proxy on Mobile

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12147))

Included in the following conference series:

Abstract

Increasingly more mobile browsers are developed to use proxies for traffic compression and censorship circumvention. While these browsers can offer such desirable features, their security implications are, however, not well understood, especially when tangled with TLS in the mix. Apart from vendor-specific proprietary designs, there are mainly 2 models of using proxies with browsers: TLS interception and HTTP tunneling. To understand the current practices employed by proxy-based mobile browsers, we analyze 34 Android browser apps that are representative of the ecosystem, and examine how their deployments are affecting communication security. Though the impacts of TLS interception on security was studied before in other contexts, proxy-based mobile browsers were not considered previously. In addition, the tunneling model requires the browser itself to enforce certain desired security policies (e.g., validating certificates and avoiding the use of weak cipher suites), and it is preferable to have such enforcement matching the security level of conventional desktop browsers. Our evaluation shows that many proxy-based mobile browsers downgrade the overall quality of TLS sessions, by for example allowing old versions of TLS (e.g., SSLv3.0 and TLSv1.0) and accepting weak cryptographic algorithms (e.g., 3DES and RC4) as well as unsatisfactory certificates (e.g., revoked or signed by untrusted CAs), thus exposing their users to potential security and privacy threats. We have reported our findings to the vendors of vulnerable proxy-based browsers and are waiting for their response.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://w3techs.com/technologies/overview/ssl_certificate/all.

  2. 2.

    https://www.ssllabs.com/ssltest/viewMyClient.html.

References

  1. Baseline requirements for the issuance and management of publicly-trusted certificates (2019). https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.6.pdf

  2. Al Fardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE S&P (2013)

    Google Scholar 

  3. AlFardan, N., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.: On the security of RC4 in TLS. In: USENIX Security (2013)

    Google Scholar 

  4. Barker, E., Mouha, N.: Recommendation for triple data encryption algorithm (TDEA) block cipher. NIST special publication 800–67 Rev. 2 (2017)

    Google Scholar 

  5. Barker, E., Roginsk, A.: Transitioning the use of cryptographic algorithms and key lengths. NIST special publication 800–131A Rev. 2 (2019)

    Google Scholar 

  6. Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Annual International Cryptology Conference (2006)

    Google Scholar 

  7. Bhargavan, K., Leurent, G.: On the practical (in-) security of 64-bit block ciphers: collision attacks on http over TLS and openVPN. In: ACM CCS (2016)

    Google Scholar 

  8. Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: NDSS (2016)

    Google Scholar 

  9. Bright, P.: Apple, google, microsoft, and mozilla come together to end TLS 1.0 (2018). https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/

  10. Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., Squarcina, M.: Postcards from the post-http world: amplification of https vulnerabilities in the web ecosystem. In: IEEE S&P (2019)

    Google Scholar 

  11. de Carnavalet, X.D.C., Mannan, M.: Killed by proxy: analyzing client-end TLS interception software. In: NDSS (2016)

    Google Scholar 

  12. Debnath, J.: When TLS meets proxy on mobile (2020). https://sites.google.com/view/joyantadebnath/when-tls-meets-proxy-on-mobile

  13. Duong, T., Rizzo, J.: Here come the \(\oplus \) ninjas. Technical report (2011)

    Google Scholar 

  14. Durumeric, Z., et al.: The security impact of https interception. In: NDSS (2017)

    Google Scholar 

  15. Ensafi, R., Fifield, D., Winter, P., Feamster, N., Weaver, N., Paxson, V.: Examining how the great firewall discovers hidden circumvention servers. In: ACM IMC (2015)

    Google Scholar 

  16. Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: password recovery attacks against RC4 in TLS. In: USENIX Security (2015)

    Google Scholar 

  17. Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: IEEE S&P (2014)

    Google Scholar 

  18. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: ACM Symposium on Information, Computer and Communications Security (2015)

    Google Scholar 

  19. Jarmoc, J., Unit, D.: SSL/TLS interception proxies and transitive trust. Black Hat Europe (2012)

    Google Scholar 

  20. Lenstra, A., De Weger, B.: On the possibility of constructing meaningful hash collisions for public keys. In: Australasian Conference on Information Security and Privacy (2005)

    Google Scholar 

  21. Luo, M., Laperdrix, P., Honarmand, N., Nikiforakis, N.: Time does not heal all wounds: a longitudinal analysis of security-mechanism support in mobile browsers. In: NDSS (2019)

    Google Scholar 

  22. McDonald, A., et al.: 403 forbidden: a global view of CDN geoblocking. In: ACM IMC (2018)

    Google Scholar 

  23. Moriarty, K., Farrell, S.: Deprecating TLSV1.0 and TLSV1.1 (2019). https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-05

  24. Niaki, A.A., et al.: IClab: a global, longitudinal internet censorship measurement platform. In: IEEE S&P (2019)

    Google Scholar 

  25. Payne, B.: PKI at scale using short-lived certificates. In: USENIX Enigma (2016)

    Google Scholar 

  26. PCI Security Standards Council: Migrating from SSL and early TLS. Technical report (2015)

    Google Scholar 

  27. Reaves, B., et al.: Mo (bile) money, mo (bile) problems: analysis of branchless banking applications. ACM Trans. Priv. Secur. 20(3), 1–31 (2017)

    Article  Google Scholar 

  28. Ronen, E., Paterson, K.G., Shamir, A.: Pseudo constant time implementations of TLS are only pseudo secure. In: ACM CCS (2018)

    Google Scholar 

  29. Sotirov, A., et al.: MD5 considered harmful today, creating a rogue CA certificate. In: Annual Chaos Communication Congress (2008)

    Google Scholar 

  30. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full sha-1. In: Annual International Cryptology Conference (2017)

    Google Scholar 

  31. Stevens, M., Karpman, P., Peyrin, T.: Freestart collision for full sha-1. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques (2016)

    Google Scholar 

  32. Stevens, M., Lenstra, A., Weger, B.: Chosen-prefix collisions for md5 and colliding x.509 certificates for different identities. In: Annual International Conference on Advances in Cryptology (2007)

    Google Scholar 

  33. Taylor, M.: Tls 1.0 and 1.1 removal update (2019). https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/

  34. Topalovic, E., Saeta, B., Huang, L.S., Jackson, C., Boneh, D.: Towards short-lived certificates. Web 2.0 Secur. Priv. (2012)

    Google Scholar 

  35. VanderSloot, B., McDonald, A., Scott, W., Halderman, J.A., Ensafi, R.: Quack: scalable remote measurement of application-layer censorship. In: USENIX Security (2018)

    Google Scholar 

  36. Vanhoef, M., Piessens, F.: All your biases belong to us: Breaking RC4 in wpa-tkip and TLS. In: USENIX Security (2015)

    Google Scholar 

  37. Waked, L., Mannan, M., Youssef, A.: To intercept or not to intercept: analyzing TLS interception in network appliances. In: ACM AsiaCCS (2018)

    Google Scholar 

  38. Wang, Q., Gong, X., Nguyen, G.T., Houmansadr, A., Borisov, N.: Censorspoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing. In: ACM CCS (2012)

    Google Scholar 

  39. Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. IACR Cryptology ePrint Archive (2004)

    Google Scholar 

  40. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Annual International Cryptology Conference (2005)

    Google Scholar 

  41. Wilson, K.: Phasing out certificates with 1024-bit RSA keys (2014). https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/

Download references

Acknowledgement

We thank the anonymous reviewers for their comments. This work is supported by NSF grant CNS-1657124.

Author information

Authors and Affiliations

  1. The University of Iowa, Iowa City, USA

    Joyanta Debnath & Omar Chowdhury

  2. The Chinese University of Hong Kong, Sha Tin, Hong Kong

    Sze Yiu Chau

Authors
  1. Joyanta Debnath
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sze Yiu Chau
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Omar Chowdhury
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joyanta Debnath .

Editor information

Editors and Affiliations

  1. Department of Mathematics, University of Padua, Padua, Italy

    Mauro Conti

  2. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  3. Dipt di Informatica Sistemi e Produ, Università di Roma “Tor Vergata”, Rome, Roma, Italy

    Emiliano Casalicchio

  4. Sapienza University of Rome, Rome, Italy

    Angelo Spognardi

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Debnath, J., Chau, S.Y., Chowdhury, O. (2020). When TLS Meets Proxy on Mobile. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12147. Springer, Cham. https://doi.org/10.1007/978-3-030-57878-7_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-57878-7_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-57877-0

  • Online ISBN: 978-3-030-57878-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation