Skip to main content
SpringerLink
Log in

Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile

  • Conference paper
  • First Online:
Innovative Security Solutions for Information Technology and Communications (SECITC 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11359))

Abstract

Use of proxy servers to filter content is very critical in achieving both personal and enterprise security. A common practice to perform this task is by allowing a man-in-the-middle to intercept the traffic unconditionally and act as a proxy between the client and the server. While this method is good enough for unencrypted HTTP connections, it is not a good practice in encrypted HTTPS (SSL/TLS) connections. In this paper, we introduce an access-controlled limited proxying framework to allow HTTPS content filtering based on the Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. Limited proxying allows the client and the server to decide which content can be accessed by a proxy to avoid compromise of sensitive content. The proposed framework grants the user full control to grant or revoke specific proxy privileges which enhances the user’s privacy online. We also define and argue about the security properties of the framework as well as some practical considerations for its implementation.

I. Faisal’s travel to the SECITC conference is supported by AUC’s Undergraduate Research Office grant UG#1810898.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper’s scope, we are not interested in differentiating between SSL and TLS connections. Unless clearly stated or suffixed by a version number, we consider both terms as a method to communicate encrypted web traffic payload.

  2. 2.

    https://developers.google.com/safe-browsing/.

  3. 3.

    https://www.symantec.com/products/webfilter-intelligent-services.

  4. 4.

    http://grid.ncsa.illinois.edu/myproxy/.

  5. 5.

    Although dating back to 2004, this is the most updated version of the RFC to our knowledge.

  6. 6.

    We don’t describe how to verify an end entity certificate in this definition. Verifying an EEC is done in accordance with RFC 5280.

  7. 7.

    https://letsencrypt.org/.

  8. 8.

    http://prosecco.gforge.inria.fr/personal/bblanche/proverif/.

  9. 9.

    https://tamarin-prover.github.io/.

References

  1. Almomani, A., Gupta, B., Atawneh, S., Meulenberg, A., Almomani, E.: A survey of phishing email filtering techniques. IEEE Commun. Surv. Tutor. 15(4), 2070–2090 (2013)

    Article  Google Scholar 

  2. Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13. ACM, New York (2013)

    Google Scholar 

  3. Bhargavan, K., Boureanu, I., Delignat-Lavaud, A., Fouque, P., Onete, C.: A formal treatment of accountable proxying over TLS. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 799–816, May 2018. https://doi.org/10.1109/SP.2018.00021

  4. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)

    Google Scholar 

  5. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, p. 82. IEEE Computer Society, Washington, DC (2001). http://dl.acm.org/citation.cfm?id=872752.873511

  6. Blanzieri, E., Bryl, A.: A survey of learning-based techniques of email spam filtering. Artif. Intell. Rev. 29(1), 63–92 (2008)

    Article  Google Scholar 

  7. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, WWW 2011, pp. 197–206. ACM, New York (2011). https://doi.org/10.1145/1963405.1963436

  8. Chen, T.M., Wang, V.: Web filtering and censoring. Computer 43(3), 94–97 (2010). https://doi.org/10.1109/MC.2010.84

    Article  Google Scholar 

  9. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor, May 2008. http://www.rfc-editor.org/rfc/rfc5280.txt

  10. Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016(086), 1–118 (2016)

    Google Scholar 

  11. Coughlin, M., Keller, E., Wustrow, E.: Trusted click: overcoming security issues of NFV in the cloud. In: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, SDN-NFVSec 2017, pp. 31–36. ACM, New York (2017). https://doi.org/10.1145/3040992.3040994

  12. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1773–1788. ACM, New York (2017). https://doi.org/10.1145/3133956.3134063

  13. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346, RFC Editor, April 2006. http://www.rfc-editor.org/rfc/rfc4346.txt

  14. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt

  15. Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, RFC Editor, January 1999. http://www.rfc-editor.org/rfc/rfc2246.txt

  16. Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981). https://doi.org/10.1109/SFCS.1981.32

  17. Dornseif, M.: Government mandated blocking of foreign web content. arXiv preprint arXiv:cs/0404005 (2004)

  18. Duan, H., Yuan, X., Wang, C.: LightBox: SGX-assisted secure network functions at near-native speed. CoRR abs/1706.06261 (2017). http://arxiv.org/abs/1706.06261

  19. Durumeric, Z., et al.: The security impact of https interception. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2017)

    Google Scholar 

  20. Farrell, S., Housley, R., Turner, S.: An internet attribute certificate profile for authorization. RFC 5755, RFC Editor, January 2010

    Google Scholar 

  21. Farrell, S., Housley, R.: An internet attribute certificate profile for authorization. RFC 3281, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3281.txt

  22. Foster, I., Kesselman, C.: Computational Grids: The Future of High Performance Distributed Computing. Morgan Kaufmann, Los Altos (1998)

    Google Scholar 

  23. Foster, I., Kesselman, C.: The globus project: a status report. In: 1998 Proceedings of the Seventh Heterogeneous Computing Workshop (HCW 1998), pp. 4–18, March 1998. https://doi.org/10.1109/HCW.1998.666541

  24. Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational grids. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, CCS 1998, pp. 83–92. ACM, New York (1998). https://doi.org/10.1145/288090.288111

  25. Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, RFC Editor, August 2011. http://www.rfc-editor.org/rfc/rfc6101.txt

  26. Goltzsche, D., et al.: Endbox: scalable middlebox functions using client-side trusted execution. In: Proceedings of the 48th International Conference on Dependable Systems and Networks, DSN, vol. 18 (2018)

    Google Scholar 

  27. Hammami, M., Chahir, Y., Chen, L.: WebGuard: web based adult content detection and filtering system. In: Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003), pp. 574–578, October 2003. https://doi.org/10.1109/WI.2003.1241271

  28. Hammami, M., Chahir, Y., Chen, L.: WebGuard: a web filtering engine combining textual, structural, and visual content-based analysis. IEEE Trans. Knowl. Data Eng. 18(2), 272–284 (2006). https://doi.org/10.1109/TKDE.2006.34

    Article  Google Scholar 

  29. Han, J., Kim, S., Ha, J., Han, D.: SGX-Box: enabling visibility on encrypted traffic using a secure middlebox module. In: Proceedings of the First Asia-Pacific Workshop on Networking, APNet 2017, pp. 99–105. ACM, New York (2017). https://doi.org/10.1145/3106989.3106994

  30. Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: HASP@ ISCA, p. 11 (2013)

    Google Scholar 

  31. Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 427–444. ACM, New York (2011). https://doi.org/10.1145/2068816.2068856

  32. Housley, R., Ford, W., Polk, T., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. RFC 3280, RFC Editor, April 2002. http://www.rfc-editor.org/rfc/rfc3280.txt

  33. Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: 2014 IEEE Symposium on Security and Privacy, pp. 83–97, May 2014. https://doi.org/10.1109/SP.2014.13

  34. Abstract Syntax Notation One (ASN.1): Specification of basic notation. Standard, International Telecommunication Union, August 2015

    Google Scholar 

  35. Kuvaiskii, D., Chakrabarti, S., Vij, M.: Snort intrusion detection system with Intel software guard extension (Intel SGX). CoRR abs/1802.00508 (2018). http://arxiv.org/abs/1802.00508

  36. Loreto, S., Mattsson, J., Skog, R., Spaak, H., Druta, D., Hafeez, M.: Explicit trusted proxy in HTTP/2.0. Internet-Draft draft-loreto-httpbis-trusted-proxy20-01, IETF Secretariat, February 2014. http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt

  37. McGrew, D., Wing, D., Gladstone, P.: TLS proxy server extension. Internet-Draft draft-mcgrew-tls-proxy-server-01, IETF Secretariat, July 2012. http://www.ietf.org/internet-drafts/draft-mcgrew-tls-proxy-server-01.txt

  38. McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: HASP@ ISCA, p. 10 (2013)

    Google Scholar 

  39. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48

    Chapter  Google Scholar 

  40. Murdoch, S.J., Anderson, R.: Tools and technology of internet filtering. Access Denied: Pract. Policy Glob. Internet Filter. 1(1), 58 (2008)

    Google Scholar 

  41. Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 199–212. ACM, New York (2015). https://doi.org/10.1145/2785956.2787482

  42. Novotny, J., Tuecke, S., Welch, V.: An online credential repository for the grid: MyProxy. In: Proceedings 10th IEEE International Symposium on High Performance Distributed Computing, pp. 104–111 (2001). https://doi.org/10.1109/HPDC.2001.945181

  43. Poddar, R., Lan, C., Popa, R.A., Ratnasamy, S.: SafeBricks: shielding network functions in the cloud. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018), Renton, WA (2018)

    Google Scholar 

  44. Polpinij, J., Chotthanom, A., Sibunruang, C., Chamchong, R., Puangpronpitag, S.: Content-based text classifiers for pornographic web filtering. In: 2006 IEEE International Conference on Systems, Man and Cybernetics, vol. 2, pp. 1481–1485, October 2006. https://doi.org/10.1109/ICSMC.2006.384926

  45. Polpinij, J., Sibunruang, C., Paungpronpitag, S., Chamchong, R., Chotthanom, A.: A web pornography patrol system by content-based analysis: in particular text and image. In: 2008 IEEE International Conference on Systems, Man and Cybernetics, pp. 500–505, October 2008. https://doi.org/10.1109/ICSMC.2008.4811326

  46. Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, RFC Editor, August 2018

    Google Scholar 

  47. Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015, pp. 213–226. ACM, New York (2015). https://doi.org/10.1145/2785956.2787502

  48. Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., Fetzer, C.: ShieldBox: secure middleboxes using shielded execution. In: Proceedings of the Symposium on SDN Research, SOSR 2018, pp. 2:1–2:14. ACM, New York (2018). https://doi.org/10.1145/3185467.3185469

  49. Tuecke, S., Welch, V., Pearlman, D.E.L., Thompson, M.: Internet X.509 public key infrastructure (PKI) proxy certificate profile. RFC 3820, RFC Editor, June 2004. http://www.rfc-editor.org/rfc/rfc3820.txt

Download references

Author information

Authors and Affiliations

  1. Computer Science and Engineering Department, The American University in Cairo, Cairo, Egypt

    Islam Faisal & Sherif El-Kassas

Authors
  1. Islam Faisal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sherif El-Kassas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Islam Faisal or Sherif El-Kassas .

Editor information

Editors and Affiliations

  1. Inria-RBA, Rennes, France

    Jean-Louis Lanet

  2. Bucharest University of Economic Studies, Bucharest, Romania

    Cristian Toma

Appendix A Content Filtering Policy Language

Appendix A Content Filtering Policy Language

In the proposed framework, we have defined a policy language to be used with the proxy certificate profile. In this section, we list the structure of that language.

The policy field of the proxy certificate extension is encoded as a string in the field policy in Listing 1.1. This string is an encoding of the structure listed in Listing 1.2. This structure is defined in the Abstract Syntax Notation One (ASN.1) [34] which is a standard interface description language. The structure consists of the fields mentioned in Sect. 3.3.

figure b

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Faisal, I., El-Kassas, S. (2019). Limited Proxying for Content Filtering Based on X.509 Proxy Certificate Profile. In: Lanet, JL., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2018. Lecture Notes in Computer Science(), vol 11359. Springer, Cham. https://doi.org/10.1007/978-3-030-12942-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-12942-2_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-12941-5

  • Online ISBN: 978-3-030-12942-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation