Advertisement

Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile

  • Islam FaisalEmail author
  • Sherif El-KassasEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)

Abstract

Use of proxy servers to filter content is very critical in achieving both personal and enterprise security. A common practice to perform this task is by allowing a man-in-the-middle to intercept the traffic unconditionally and act as a proxy between the client and the server. While this method is good enough for unencrypted HTTP connections, it is not a good practice in encrypted HTTPS (SSL/TLS) connections. In this paper, we introduce an access-controlled limited proxying framework to allow HTTPS content filtering based on the Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. Limited proxying allows the client and the server to decide which content can be accessed by a proxy to avoid compromise of sensitive content. The proposed framework grants the user full control to grant or revoke specific proxy privileges which enhances the user’s privacy online. We also define and argue about the security properties of the framework as well as some practical considerations for its implementation.

Keywords

Proxy servers Content filtering Proxy certificate profile Privacy 

References

  1. 1.
    Almomani, A., Gupta, B., Atawneh, S., Meulenberg, A., Almomani, E.: A survey of phishing email filtering techniques. IEEE Commun. Surv. Tutor. 15(4), 2070–2090 (2013)CrossRefGoogle Scholar
  2. 2.
    Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13. ACM, New York (2013)Google Scholar
  3. 3.
    Bhargavan, K., Boureanu, I., Delignat-Lavaud, A., Fouque, P., Onete, C.: A formal treatment of accountable proxying over TLS. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 799–816, May 2018.  https://doi.org/10.1109/SP.2018.00021
  4. 4.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)Google Scholar
  5. 5.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, p. 82. IEEE Computer Society, Washington, DC (2001). http://dl.acm.org/citation.cfm?id=872752.873511
  6. 6.
    Blanzieri, E., Bryl, A.: A survey of learning-based techniques of email spam filtering. Artif. Intell. Rev. 29(1), 63–92 (2008)CrossRefGoogle Scholar
  7. 7.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, WWW 2011, pp. 197–206. ACM, New York (2011).  https://doi.org/10.1145/1963405.1963436
  8. 8.
    Chen, T.M., Wang, V.: Web filtering and censoring. Computer 43(3), 94–97 (2010).  https://doi.org/10.1109/MC.2010.84CrossRefGoogle Scholar
  9. 9.
    Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor, May 2008. http://www.rfc-editor.org/rfc/rfc5280.txt
  10. 10.
    Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016(086), 1–118 (2016)Google Scholar
  11. 11.
    Coughlin, M., Keller, E., Wustrow, E.: Trusted click: overcoming security issues of NFV in the cloud. In: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, SDN-NFVSec 2017, pp. 31–36. ACM, New York (2017).  https://doi.org/10.1145/3040992.3040994
  12. 12.
    Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1773–1788. ACM, New York (2017).  https://doi.org/10.1145/3133956.3134063
  13. 13.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346, RFC Editor, April 2006. http://www.rfc-editor.org/rfc/rfc4346.txt
  14. 14.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt
  15. 15.
    Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, RFC Editor, January 1999. http://www.rfc-editor.org/rfc/rfc2246.txt
  16. 16.
    Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981).  https://doi.org/10.1109/SFCS.1981.32
  17. 17.
    Dornseif, M.: Government mandated blocking of foreign web content. arXiv preprint arXiv:cs/0404005 (2004)
  18. 18.
    Duan, H., Yuan, X., Wang, C.: LightBox: SGX-assisted secure network functions at near-native speed. CoRR abs/1706.06261 (2017). http://arxiv.org/abs/1706.06261
  19. 19.
    Durumeric, Z., et al.: The security impact of https interception. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2017)Google Scholar
  20. 20.
    Farrell, S., Housley, R., Turner, S.: An internet attribute certificate profile for authorization. RFC 5755, RFC Editor, January 2010Google Scholar
  21. 21.
    Farrell, S., Housley, R.: An internet attribute certificate profile for authorization. RFC 3281, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3281.txt
  22. 22.
    Foster, I., Kesselman, C.: Computational Grids: The Future of High Performance Distributed Computing. Morgan Kaufmann, Los Altos (1998)Google Scholar
  23. 23.
    Foster, I., Kesselman, C.: The globus project: a status report. In: 1998 Proceedings of the Seventh Heterogeneous Computing Workshop (HCW 1998), pp. 4–18, March 1998.  https://doi.org/10.1109/HCW.1998.666541
  24. 24.
    Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational grids. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, CCS 1998, pp. 83–92. ACM, New York (1998).  https://doi.org/10.1145/288090.288111
  25. 25.
    Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, RFC Editor, August 2011. http://www.rfc-editor.org/rfc/rfc6101.txt
  26. 26.
    Goltzsche, D., et al.: Endbox: scalable middlebox functions using client-side trusted execution. In: Proceedings of the 48th International Conference on Dependable Systems and Networks, DSN, vol. 18 (2018)Google Scholar
  27. 27.
    Hammami, M., Chahir, Y., Chen, L.: WebGuard: web based adult content detection and filtering system. In: Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003), pp. 574–578, October 2003.  https://doi.org/10.1109/WI.2003.1241271
  28. 28.
    Hammami, M., Chahir, Y., Chen, L.: WebGuard: a web filtering engine combining textual, structural, and visual content-based analysis. IEEE Trans. Knowl. Data Eng. 18(2), 272–284 (2006).  https://doi.org/10.1109/TKDE.2006.34CrossRefGoogle Scholar
  29. 29.
    Han, J., Kim, S., Ha, J., Han, D.: SGX-Box: enabling visibility on encrypted traffic using a secure middlebox module. In: Proceedings of the First Asia-Pacific Workshop on Networking, APNet 2017, pp. 99–105. ACM, New York (2017).  https://doi.org/10.1145/3106989.3106994
  30. 30.
    Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: HASP@ ISCA, p. 11 (2013)Google Scholar
  31. 31.
    Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 427–444. ACM, New York (2011).  https://doi.org/10.1145/2068816.2068856
  32. 32.
    Housley, R., Ford, W., Polk, T., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. RFC 3280, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3280.txt
  33. 33.
    Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: 2014 IEEE Symposium on Security and Privacy, pp. 83–97, May 2014.  https://doi.org/10.1109/SP.2014.13
  34. 34.
    Abstract Syntax Notation One (ASN.1): Specification of basic notation. Standard, International Telecommunication Union, August 2015Google Scholar
  35. 35.
    Kuvaiskii, D., Chakrabarti, S., Vij, M.: Snort intrusion detection system with Intel software guard extension (Intel SGX). CoRR abs/1802.00508 (2018). http://arxiv.org/abs/1802.00508
  36. 36.
    Loreto, S., Mattsson, J., Skog, R., Spaak, H., Druta, D., Hafeez, M.: Explicit trusted proxy in HTTP/2.0. Internet-Draft draft-loreto-httpbis-trusted-proxy20-01, IETF Secretariat, February 2014. http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt
  37. 37.
    McGrew, D., Wing, D., Gladstone, P.: TLS proxy server extension. Internet-Draft draft-mcgrew-tls-proxy-server-01, IETF Secretariat, July 2012. http://www.ietf.org/internet-drafts/draft-mcgrew-tls-proxy-server-01.txt
  38. 38.
    McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: HASP@ ISCA, p. 10 (2013)Google Scholar
  39. 39.
    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39799-8_48CrossRefGoogle Scholar
  40. 40.
    Murdoch, S.J., Anderson, R.: Tools and technology of internet filtering. Access Denied: Pract. Policy Glob. Internet Filter. 1(1), 58 (2008)Google Scholar
  41. 41.
    Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 199–212. ACM, New York (2015).  https://doi.org/10.1145/2785956.2787482
  42. 42.
    Novotny, J., Tuecke, S., Welch, V.: An online credential repository for the grid: MyProxy. In: Proceedings 10th IEEE International Symposium on High Performance Distributed Computing, pp. 104–111 (2001).  https://doi.org/10.1109/HPDC.2001.945181
  43. 43.
    Poddar, R., Lan, C., Popa, R.A., Ratnasamy, S.: SafeBricks: shielding network functions in the cloud. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018), Renton, WA (2018)Google Scholar
  44. 44.
    Polpinij, J., Chotthanom, A., Sibunruang, C., Chamchong, R., Puangpronpitag, S.: Content-based text classifiers for pornographic web filtering. In: 2006 IEEE International Conference on Systems, Man and Cybernetics, vol. 2, pp. 1481–1485, October 2006.  https://doi.org/10.1109/ICSMC.2006.384926
  45. 45.
    Polpinij, J., Sibunruang, C., Paungpronpitag, S., Chamchong, R., Chotthanom, A.: A web pornography patrol system by content-based analysis: in particular text and image. In: 2008 IEEE International Conference on Systems, Man and Cybernetics, pp. 500–505, October 2008.  https://doi.org/10.1109/ICSMC.2008.4811326
  46. 46.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, RFC Editor, August 2018Google Scholar
  47. 47.
    Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 213–226. ACM, New York (2015).  https://doi.org/10.1145/2785956.2787502
  48. 48.
    Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., Fetzer, C.: ShieldBox: secure middleboxes using shielded execution. In: Proceedings of the Symposium on SDN Research, SOSR 2018, pp. 2:1–2:14. ACM, New York (2018).  https://doi.org/10.1145/3185467.3185469
  49. 49.
    Tuecke, S., Welch, V., Pearlman, D.E.L., Thompson, M.: Internet X.509 public key infrastructure (PKI) proxy certificate profile. RFC 3820, RFC Editor, June 2004. http://www.rfc-editor.org/rfc/rfc3820.txt

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Computer Science and Engineering DepartmentThe American University in CairoCairoEgypt

Personalised recommendations