Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile

Use of proxy servers to filter content is very critical in achieving both personal and enterprise security. A common practice to perform this task is by allowing a man-in-the-middle to intercept the traffic unconditionally and act as a proxy between the client and the server. While this method is good enough for unencrypted HTTP connections, it is not a good practice in encrypted HTTPS (SSL/TLS) connections. In this paper, we introduce an access-controlled limited proxying framework to allow HTTPS content filtering based on the Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. Limited proxying allows the client and the server to decide which content can be accessed by a proxy to avoid compromise of sensitive content. The proposed framework grants the user full control to grant or revoke specific proxy privileges which enhances the user’s privacy online. We also define and argue about the security properties of the framework as well as some practical considerations for its implementation.

[1]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[2]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[3]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[4]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[5]  Cong Wang,et al.  LightBox: SGX-assisted Secure Network Functions at Near-native Speed , 2017, ArXiv.

[6]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[7]  Karthikeyan Bhargavan,et al.  A Formal Treatment of Accountable Proxying Over TLS , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[8]  Eric Wustrow,et al.  Trusted Click: Overcoming Security issues of NFV in the Cloud , 2017, SDN-NFV@CODASPY.

[9]  Cas J. F. Cremers,et al.  A Comprehensive Symbolic Analysis of TLS 1.3 , 2017, CCS.

[10]  Ian T. Foster,et al.  The Globus project: a status report , 1998, Proceedings Seventh Heterogeneous Computing Workshop (HCW'98).

[11]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[13]  Liming Chen,et al.  WebGuard: a Web filtering engine combining textual, structural, and visual content-based analysis , 2006, IEEE Transactions on Knowledge and Data Engineering.

[14]  Salvatore Loreto,et al.  Explicit Trusted Proxy in HTTP/2.0 , 2014 .

[15]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[16]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[17]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.

[18]  Enrico Blanzieri,et al.  A survey of learning-based techniques of email spam filtering , 2008, Artificial Intelligence Review.

[19]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[20]  Jantima Polpinij,et al.  Content-Based Text Classifiers for Pornographic Web Filtering , 2006, 2006 IEEE International Conference on Systems, Man and Cybernetics.

[21]  Jantima Polpinij,et al.  A web pornography patrol system by content-based analysis: In particular text and image , 2008, 2008 IEEE International Conference on Systems, Man and Cybernetics.

[22]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[23]  Maximillian Dornseif,et al.  Government mandated blocking of foreign Web content , 2004, DFN-Arbeitstagung über Kommunikationsnetze.

[24]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[25]  Dan Wing,et al.  TLS Proxy Server Extension , 2012 .

[26]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[27]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.

[28]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[29]  J. Barlow Access Denied: The Practice and Policy of Global Internet Filtering , 2009 .

[30]  Mona Vij,et al.  Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX) , 2018, ArXiv.

[31]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[32]  Rüdiger Kapitza,et al.  EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[33]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[34]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[35]  Thomas M. Chen,et al.  Web Filtering and Censoring , 2010, Computer.

[36]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[37]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[38]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[39]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[40]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[41]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[42]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[43]  B. B. Gupta,et al.  A Survey of Phishing Email Filtering Techniques , 2013, IEEE Communications Surveys & Tutorials.

[44]  Ronald J. Deibert,et al.  Tools and Technology of Internet Filtering , 2008 .

[45]  Steven Tuecke,et al.  An online credential repository for the Grid: MyProxy , 2001, Proceedings 10th IEEE International Symposium on High Performance Distributed Computing.

[46]  Liming Chen,et al.  WebGuard: Web based adult content detection and filtering system , 2003, Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003).