maTLS: How to Make TLS middlebox-aware?
Hyunwoo Lee, Zach Smith, Junghwan Lim†, Gyeongjae Choi, Selin Chun, Taejoong Chung, Ted “Taekyoung” Kwon
Network and Distributed Systems Security (NDSS) Symposium 2019
- Client: fake root certificate
- Server: CDNs request server private keys.
=> Increased risks in MITM attack => How to work honestly? 1. encryption-based 2. TEE-based 3. TLS extension-based
- authentication: client can not authenticate the intend server
- Confidentiality: weak ciphersuite
- Integrity：Not behaved Middlebox
- authenticate all middleboxes
- audit all middleboxes
- security parameter verification
- valid modification checks
Middlebox transparency (MT): MT system targets middlebox certificates, it logs certificates, which can be publicly mon- itored and audited by any interested parties.
How to do
An extension in middlebox’ X509 Certificates indicates the access of this middlebox.