Top

Published in:

2019 | OriginalPaper | Chapter

Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile

Authors : Islam Faisal, Sherif El-Kassas

Published in: Innovative Security Solutions for Information Technology and Communications

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Use of proxy servers to filter content is very critical in achieving both personal and enterprise security. A common practice to perform this task is by allowing a man-in-the-middle to intercept the traffic unconditionally and act as a proxy between the client and the server. While this method is good enough for unencrypted HTTP connections, it is not a good practice in encrypted HTTPS (SSL/TLS) connections. In this paper, we introduce an access-controlled limited proxying framework to allow HTTPS content filtering based on the Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. Limited proxying allows the client and the server to decide which content can be accessed by a proxy to avoid compromise of sensitive content. The proposed framework grants the user full control to grant or revoke specific proxy privileges which enhances the user’s privacy online. We also define and argue about the security properties of the framework as well as some practical considerations for its implementation.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Roaming Interface Signaling Security for LTE Networks

next chapter Anomaly-Based Network Intrusion Detection Using Wavelets and Adversarial Autoencoders

Available only for authorised users

In this paper’s scope, we are not interested in differentiating between SSL and TLS connections. Unless clearly stated or suffixed by a version number, we consider both terms as a method to communicate encrypted web traffic payload.

https://developers.google.com/safe-browsing/.

https://www.symantec.com/products/webfilter-intelligent-services.

http://grid.ncsa.illinois.edu/myproxy/.

Although dating back to 2004, this is the most updated version of the RFC to our knowledge.

We don’t describe how to verify an end entity certificate in this definition. Verifying an EEC is done in accordance with RFC 5280.

https://letsencrypt.org/.

http://prosecco.gforge.inria.fr/personal/bblanche/proverif/.

https://tamarin-prover.github.io/.

Almomani, A., Gupta, B., Atawneh, S., Meulenberg, A., Almomani, E.: A survey of phishing email filtering techniques. IEEE Commun. Surv. Tutor. 15(4), 2070–2090 (2013)CrossRef

Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13. ACM, New York (2013)

Bhargavan, K., Boureanu, I., Delignat-Lavaud, A., Fouque, P., Onete, C.: A formal treatment of accountable proxying over TLS. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 799–816, May 2018. https://doi.org/10.1109/SP.2018.00021

Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)

Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, p. 82. IEEE Computer Society, Washington, DC (2001). http://dl.acm.org/citation.cfm?id=872752.873511

Blanzieri, E., Bryl, A.: A survey of learning-based techniques of email spam filtering. Artif. Intell. Rev. 29(1), 63–92 (2008)CrossRef

Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, WWW 2011, pp. 197–206. ACM, New York (2011). https://doi.org/10.1145/1963405.1963436

Chen, T.M., Wang, V.: Web filtering and censoring. Computer 43(3), 94–97 (2010). https://doi.org/10.1109/MC.2010.84CrossRef

Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor, May 2008. http://www.rfc-editor.org/rfc/rfc5280.txt

10.

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016(086), 1–118 (2016)

11.

Coughlin, M., Keller, E., Wustrow, E.: Trusted click: overcoming security issues of NFV in the cloud. In: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, SDN-NFVSec 2017, pp. 31–36. ACM, New York (2017). https://doi.org/10.1145/3040992.3040994

12.

Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1773–1788. ACM, New York (2017). https://doi.org/10.1145/3133956.3134063

13.

Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346, RFC Editor, April 2006. http://www.rfc-editor.org/rfc/rfc4346.txt

14.

Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt

15.

Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, RFC Editor, January 1999. http://www.rfc-editor.org/rfc/rfc2246.txt

16.

Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981). https://doi.org/10.1109/SFCS.1981.32

17.

Dornseif, M.: Government mandated blocking of foreign web content. arXiv preprint arXiv:cs/0404005 (2004)

18.

Duan, H., Yuan, X., Wang, C.: LightBox: SGX-assisted secure network functions at near-native speed. CoRR abs/1706.06261 (2017). http://arxiv.org/abs/1706.06261

19.

Durumeric, Z., et al.: The security impact of https interception. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2017)

20.

Farrell, S., Housley, R., Turner, S.: An internet attribute certificate profile for authorization. RFC 5755, RFC Editor, January 2010

21.

Farrell, S., Housley, R.: An internet attribute certificate profile for authorization. RFC 3281, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3281.txt

22.

Foster, I., Kesselman, C.: Computational Grids: The Future of High Performance Distributed Computing. Morgan Kaufmann, Los Altos (1998)

23.

Foster, I., Kesselman, C.: The globus project: a status report. In: 1998 Proceedings of the Seventh Heterogeneous Computing Workshop (HCW 1998), pp. 4–18, March 1998. https://doi.org/10.1109/HCW.1998.666541

24.

Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational grids. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, CCS 1998, pp. 83–92. ACM, New York (1998). https://doi.org/10.1145/288090.288111

25.

Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, RFC Editor, August 2011. http://www.rfc-editor.org/rfc/rfc6101.txt

26.

Goltzsche, D., et al.: Endbox: scalable middlebox functions using client-side trusted execution. In: Proceedings of the 48th International Conference on Dependable Systems and Networks, DSN, vol. 18 (2018)

27.

Hammami, M., Chahir, Y., Chen, L.: WebGuard: web based adult content detection and filtering system. In: Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003), pp. 574–578, October 2003. https://doi.org/10.1109/WI.2003.1241271

28.

Hammami, M., Chahir, Y., Chen, L.: WebGuard: a web filtering engine combining textual, structural, and visual content-based analysis. IEEE Trans. Knowl. Data Eng. 18(2), 272–284 (2006). https://doi.org/10.1109/TKDE.2006.34CrossRef

29.

Han, J., Kim, S., Ha, J., Han, D.: SGX-Box: enabling visibility on encrypted traffic using a secure middlebox module. In: Proceedings of the First Asia-Pacific Workshop on Networking, APNet 2017, pp. 99–105. ACM, New York (2017). https://doi.org/10.1145/3106989.3106994

30.

Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: HASP@ ISCA, p. 11 (2013)

31.

Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 427–444. ACM, New York (2011). https://doi.org/10.1145/2068816.2068856

32.

Housley, R., Ford, W., Polk, T., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. RFC 3280, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3280.txt

33.

Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: 2014 IEEE Symposium on Security and Privacy, pp. 83–97, May 2014. https://doi.org/10.1109/SP.2014.13

34.

Abstract Syntax Notation One (ASN.1): Specification of basic notation. Standard, International Telecommunication Union, August 2015

35.

Kuvaiskii, D., Chakrabarti, S., Vij, M.: Snort intrusion detection system with Intel software guard extension (Intel SGX). CoRR abs/1802.00508 (2018). http://arxiv.org/abs/1802.00508

36.

Loreto, S., Mattsson, J., Skog, R., Spaak, H., Druta, D., Hafeez, M.: Explicit trusted proxy in HTTP/2.0. Internet-Draft draft-loreto-httpbis-trusted-proxy20-01, IETF Secretariat, February 2014. http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt

37.

McGrew, D., Wing, D., Gladstone, P.: TLS proxy server extension. Internet-Draft draft-mcgrew-tls-proxy-server-01, IETF Secretariat, July 2012. http://www.ietf.org/internet-drafts/draft-mcgrew-tls-proxy-server-01.txt

38.

McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: HASP@ ISCA, p. 10 (2013)

39.

Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48CrossRef

40.

Murdoch, S.J., Anderson, R.: Tools and technology of internet filtering. Access Denied: Pract. Policy Glob. Internet Filter. 1(1), 58 (2008)

41.

Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 199–212. ACM, New York (2015). https://doi.org/10.1145/2785956.2787482

42.

Novotny, J., Tuecke, S., Welch, V.: An online credential repository for the grid: MyProxy. In: Proceedings 10th IEEE International Symposium on High Performance Distributed Computing, pp. 104–111 (2001). https://doi.org/10.1109/HPDC.2001.945181

43.

Poddar, R., Lan, C., Popa, R.A., Ratnasamy, S.: SafeBricks: shielding network functions in the cloud. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018), Renton, WA (2018)

44.

Polpinij, J., Chotthanom, A., Sibunruang, C., Chamchong, R., Puangpronpitag, S.: Content-based text classifiers for pornographic web filtering. In: 2006 IEEE International Conference on Systems, Man and Cybernetics, vol. 2, pp. 1481–1485, October 2006. https://doi.org/10.1109/ICSMC.2006.384926

45.

Polpinij, J., Sibunruang, C., Paungpronpitag, S., Chamchong, R., Chotthanom, A.: A web pornography patrol system by content-based analysis: in particular text and image. In: 2008 IEEE International Conference on Systems, Man and Cybernetics, pp. 500–505, October 2008. https://doi.org/10.1109/ICSMC.2008.4811326

46.

Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, RFC Editor, August 2018

47.

Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 213–226. ACM, New York (2015). https://doi.org/10.1145/2785956.2787502

48.

Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., Fetzer, C.: ShieldBox: secure middleboxes using shielded execution. In: Proceedings of the Symposium on SDN Research, SOSR 2018, pp. 2:1–2:14. ACM, New York (2018). https://doi.org/10.1145/3185467.3185469

49.

Tuecke, S., Welch, V., Pearlman, D.E.L., Thompson, M.: Internet X.509 public key infrastructure (PKI) proxy certificate profile. RFC 3820, RFC Editor, June 2004. http://www.rfc-editor.org/rfc/rfc3820.txt

Title: Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile
Authors: Islam Faisal
Sherif El-Kassas
Publisher: Springer International Publishing
Book: Innovative Security Solutions for Information Technology and Communications
Print ISBN: 978-3-030-12941-5

Electronic ISBN: 978-3-030-12942-2

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-12942-2_17

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner