Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet

Detecting violations of application-level end-to-end connectivity on the Internet is of significant interest to researchers and end users; recent studies have revealed cases of HTTP ad injection and HTTPS man-in-the-middle attacks. Unfortunately, detecting such end-to-end violations at scale remains difficult, as it generally requires having the cooperation of many nodes spread across the globe. Most successful approaches have relied either on dedicated hardware, user-installed software, or privileged access to a popular web site. In this paper, we present an alternate approach for detecting end-to-end violations based on Luminati, a HTTP/S proxy service that routes traffic through millions of end hosts. We develop measurement techniques that allow Luminati to be used to detect end-to-end violations of DNS, HTTP, and HTTPS, and, in many cases, enable us to identify the culprit. We present results from over 1.2m nodes across 14k ASes in 172 countries, finding that up to 4.8% of nodes are subject to some type of end-to-end connectivity violation. Finally, we are able to use Luminati to identify and measure the incidence of content monitoring, where end-host software or ISP middleboxes record users' HTTP requests and later re-download the content to third-party servers.

[1]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[2]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[3]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[4]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[5]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[6]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[7]  David A. Maltz,et al.  Inflight Modifications of Content: Who Are the Culprits? , 2011, LEET.

[8]  Boris Nechaev,et al.  Netalyzr: illuminating the edge network , 2010, IMC '10.

[9]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[10]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[11]  Arjuna Sathiaseelan,et al.  Pushing the Frontier: Exploring the African Web Ecosystem , 2016, WWW.

[12]  Ramesh Govindan,et al.  Investigating Transparent Web Proxies in Cellular Networks , 2015, PAM.

[13]  Georg Carle,et al.  The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire , 2015, TMA.

[14]  V. Paxson,et al.  Implications of Netalyzr ’ s DNS Measurements , 2011 .

[15]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[16]  Valtteri Niemi,et al.  Man-in-the-Middle in Tunnelled Authentication Protocols , 2003, Security Protocols Workshop.

[17]  Yingjiu Li,et al.  Security and Privacy in Communication Networks , 2018, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.

[18]  Olivier Bonaventure,et al.  Revealing middlebox interference with tracebox , 2013, Internet Measurement Conference.

[19]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[20]  Daniel Zappala,et al.  POSTER: TLS Proxies: Friend or Foe? , 2014, CCS.

[21]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Balachander Krishnamurthy,et al.  Dasu: Pushing Experiments to the Internet's Edge , 2013, NSDI.