A Large-scale Analysis of Content Modification by Open HTTP Proxies

Tsirantonakis, Giorgos; Ilia, Panagiotis; Ioannidis, Sotiris; Αθανασόπουλος, Ηλίας; Polychronakis, Michalis

doi:10.14722/ndss.2018.23244

Cited by 22 publications

(23 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such vulnerabilities of middleboxes have been reported in several studies [8], [11], [46], [34], [44]; for instance, some middleboxes accept nearly all certificates in spite of certificate validation failures, which gives a chance for another compromised/malicious middlebox to meddle in the TLS session [8], [11], [46]. Similarly, a middlebox that splits a TLS session may support only weak ciphersuites, which are vulnerable to known attacks such as the Logjam attack [1] or the FREAK attack [3].…”

Section: Introductionmentioning

confidence: 63%

“…Although SplitTLS complies with the current TLS practice, several studies have reported that some middleboxes fail to correctly validate certificates, degrade to weaker ciphersuites, or insert malicious scripts [8], [11], [44], [5]. This means that fundamental security properties (i.e., authentication, confidentiality, and integrity) between two endpoints are broken.…”

Section: E Security Problems In Splittlsmentioning

confidence: 99%

“…The endpoints may not be aware of the middleboxes, their functions, or their states. If the middleboxes are misconfigured or incorrectly implemented, they may accept invalid certificates, use deprecated ciphersuites, or attempt to inject unwanted or malicious content [44], [34].…”

Section: Trust and Threat Modelsmentioning

confidence: 99%

“…Similarly, a middlebox that splits a TLS session may support only weak ciphersuites, which are vulnerable to known attacks such as the Logjam attack [1] or the FREAK attack [3]. Even worse, it has been reported that middleboxes are being used to inject malicious code [44], [34], [5]; for example, Giorgos et al [44] found that 5.15% of proxies inject malicious or unwanted content into web pages.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

maTLS: How to Make TLS middlebox-aware?

Lee¹,

Smith²,

Lim³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Middleboxes are widely deployed in order to enhance security and performance in networking. As communication over TLS becomes increasingly common, however, the end-to-end channel model of TLS undermines the efficacy of middleboxes. Existing solutions, such as 'SplitTLS', which intercepts TLS sessions, often introduce significant security risks by installing a custom root certificate or sharing a private key. Many studies have confirmed security vulnerabilities when combining TLS with middleboxes, which include certificate validation failures, use of obsolete ciphersuites, and unwanted content modification. To address the above issues, we introduce a middlebox-aware TLS protocol, dubbed maTLS, which allows middleboxes to participate in the TLS session in a visible and auditable fashion. Every participating middlebox now splits a session into two segments with their own security parameters in collaboration with the two endpoints. The maTLS protocol is designed to authenticate the middleboxes to verify the security parameters of segments, and to audit the middleboxes' write operations. Thus, security of the session is ensured. We prove the security model of maTLS by using Tamarin, a state-of-theart security verification tool. We also carry out testbed-based experiments to show that maTLS achieves the above security goals with marginal overhead.

show abstract

Section: Introductionmentioning

confidence: 63%

Section: E Security Problems In Splittlsmentioning

confidence: 99%

Section: Trust and Threat Modelsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

maTLS: How to Make TLS middlebox-aware?

Lee¹,

Smith²,

Lim³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…More than 25% of malicious proxies return at least 10 les with malicious content, while the top 10% of malicious proxies return 56 or more malicious les. Surprisingly, none of the 469 discovered proxies that return malicious content ( §7.1) are listed on the service run by Tsirantonakis et al [46] that reports misbehaving proxies. This suggests that correctly identifying misbehaving proxies is very challenging, since proxy misbehavior may be transient and may take di erent forms.…”

Section: Network Diversity and Consistency Of Malicious Proxiesmentioning

confidence: 99%

An Extensive Evaluation of the Internet's Open Proxies

Mani

Vaidya

Dworken

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Open proxies forward tra c on behalf of any Internet user. Listed on open proxy aggregator sites, they are often used to bypass geographic region restrictions or circumvent censorship. Open proxies sometimes also provide a weak form of anonymity by concealing the requestor's IP address.To better understand their behavior and performance, we conducted a comprehensive study of open proxies, encompassing more than 107,000 listed open proxies and 13M proxy requests over a 50 day period. While previous studies have focused on malicious open proxies' manipulation of HTML content to insert/modify ads, we provide a more broad study that examines the availability, success rates, diversity, and also (mis)behavior of proxies.Our results show that listed open proxies su er poor availability-more than 92% of open proxies that appear on aggregator sites are unresponsive to proxy requests. Much more troubling, we nd numerous examples of malicious open proxies in which HTML content is manipulated to mine cryptocurrency (that is, cryptojacking). We additionally detect TLS manin-the-middle (MitM) attacks, and discover numerous instances in which binaries fetched through proxies were modi ed to include remote access trojans and other forms of malware. As a point of comparison, we conduct and discuss a similar measurement study of the behavior of Tor exit relays. We nd no instances in which Tor relays performed TLS MitM or manipulated content, suggesting that Tor o ers a far more reliable and safe form of proxied communication.

show abstract

On Privacy Risks of Public WiFi Captive Portals

Ali

Osman

Mannan

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed some light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot's privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.

show abstract

A Large-scale Analysis of Content Modification by Open HTTP Proxies

Cited by 22 publications

References 17 publications

maTLS: How to Make TLS middlebox-aware?

maTLS: How to Make TLS middlebox-aware?

An Extensive Evaluation of the Internet's Open Proxies

On Privacy Risks of Public WiFi Captive Portals

Contact Info

Product

Resources

About