A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring how end-to-end TLS is made “end-to-me” for web traffic-Reference-Cited by-同舟云学术

A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring how end-to-end TLS is made “end-to-me” for web traffic

Published:2023-07-13 Issue:13s Volume:55 Page:1-40
ISSN:0360-0300
Container-title:ACM Computing Surveys
language:en
Short-container-title:ACM Comput. Surv.

Author:

de Carné de Carnavalet Xavier¹^ORCID,van Oorschot Paul C.²^ORCID

Affiliation:

1. The Hong Kong Polytechnic University, Hong Kong SAR

2. Carleton University, Ontario, Canada

Abstract

TLS is an end-to-end protocol designed to provide confidentiality and integrity guarantees that improve end-user security and privacy. While TLS helps defend against pervasive surveillance of intercepted unencrypted traffic, it also hinders several common beneficial operations typically performed by middleboxes on the network traffic. Consequently, various methods have been proposed that “bypass” the confidentiality goals of TLS by playing with keys and certificates essentially in a man-in-the-middle solution, as well as new proposals that extend the protocol to accommodate third parties, delegation schemes to trusted middleboxes, and fine-grained control and verification mechanisms. We first review the use cases expecting plain HTTP traffic and discuss the extent to which TLS hinders these operations. We retain 19 scenarios where access to unencrypted traffic is still relevant and evaluate the incentives of the stakeholders involved. Second, we survey 30 schemes by which TLS no longer delivers end-to-end security and by which the notion of an “end” changes, including caching middleboxes such as Content Delivery Networks. Finally, we compare each scheme based on deployability and security characteristics and evaluate their compatibility with the stakeholders’ incentives. Our analysis leads to a number of key findings, observations, and research questions that we believe will be of interest to practitioners, policy makers, and researchers.

Funder

DND/NSERC Discovery Grant supplement

Natural Sciences and Engineering Research Council of Canada (NSERC) for both his Canada Research Chair in Authentication and Computer Security, and a Discovery Grant

Publisher

Association for Computing Machinery (ACM)

Subject

General Computer Science,Theoretical Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/3580522

Reference131 articles.

1. Victor Agababov, Michael Buettner, Victor Chudnovsky, Mark Cogan, Ben Greenstein, Shane McDaniel, Michael Piatek, Colin Scott, Matt Welsh, and Bolian Yin. 2015. Flywheel: Google’s data compression proxy for the mobile web. In USENIX Symposium on Networked Systems Design and Implementation (NSDI).

2. Devdatta Akhawe Frederik Braun François Marier and Joel Weinberger. 2016. Subresource Integrity. Retrieved from https://www.w3.org/TR/SRI/.

3. QoS3: Secure Caching in HTTPS Based on Fine-Grained Trust Delegation

4. Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications

5. Amazon Elastic Container Service. 2020. Load Balancer Types. Retrieved from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html.

Cited by 4 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Securing Sensing in Supply Chains: Opportunities, Building Blocks, and Designs;IEEE Access;2024

2. Comparison of ML-based One-Stage and Two-Stage NIDS Models;2023 16th International Conference on Information Security and Cryptology (ISCTürkiye);2023-10-18

3. A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations;Proceedings of the 18th International Conference on Availability, Reliability and Security;2023-08-29

4. A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger Technologies;IEEE Communications Surveys & Tutorials;2023