Improving SNI-based HTTPS Security Monitoring

Wazen M. Shbair 1 Thibault Cholez 1 Jérôme François 1 Isabelle Chrisment 1
1 MADYNES - Management of dynamic networks and services
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
Abstract : Recent surveys show that the proportion of encrypted web traffic is quickly increasing. On one side, it provides users with essential properties of security and privacy, but on the other side, it raises important challenges and issues for organizations, related to the security monitoring of encrypted traffic (filtering, anomaly detection, etc.). This paper proposes to improve a recent technique for HTTPS traffic monitoring that is based on the Server Name Indication (SNI) field of TLS and which has been implemented in many firewall solutions. This method currently has some weaknesses that can be used to bypass firewalls by overwriting the SNI value of new TLS connections. Our investigation shows that 92% of the HTTPS websites surveyed in this paper can be accessed with a fake SNI. Our approach verifies the coherence between the real destination server and the claimed value of SNI by relying on a trusted DNS service. Experimental results show the ability to overcome the shortage of SNI-based monitoring by detecting forged SNI values while having a very small false positive rate (1.7%). The overhead of our solution only adds negligible delays to access HTTPS websites. The proposed method opens the door to improve global HTTPS monitoring and firewall systems.
Type de document :
Communication dans un congrès
Second IEEE International Workshop on Security Testing and Monitoring, Jun 2016, Nara, Japan. IEEE, pp.6, 2016, ICDCS 2016 - Workshops of the 36th IEEE International Conference on Distributed Computing Systems
Liste complète des métadonnées

Littérature citée [20 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01349710
Contributeur : Thibault Cholez <>
Soumis le : jeudi 28 juillet 2016 - 13:59:14
Dernière modification le : mardi 10 avril 2018 - 10:35:34
Document(s) archivé(s) le : samedi 29 octobre 2016 - 10:40:14

Identifiants

  • HAL Id : hal-01349710, version 1

Collections

Citation

Wazen M. Shbair, Thibault Cholez, Jérôme François, Isabelle Chrisment. Improving SNI-based HTTPS Security Monitoring. Second IEEE International Workshop on Security Testing and Monitoring, Jun 2016, Nara, Japan. IEEE, pp.6, 2016, ICDCS 2016 - Workshops of the 36th IEEE International Conference on Distributed Computing Systems. 〈hal-01349710〉

Partager

Métriques

Consultations de la notice

427

Téléchargements de fichiers

973