Improving SNI-based HTTPS Security Monitoring

Wazen M. Shbair 1 Thibault Cholez 1 Jérôme François 1 Isabelle Chrisment 1
1 MADYNES - Management of dynamic networks and services
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
Abstract : Recent surveys show that the proportion of encrypted web traffic is quickly increasing. On one side, it provides users with essential properties of security and privacy, but on the other side, it raises important challenges and issues for organizations, related to the security monitoring of encrypted traffic (filtering, anomaly detection, etc.). This paper proposes to improve a recent technique for HTTPS traffic monitoring that is based on the Server Name Indication (SNI) field of TLS and which has been implemented in many firewall solutions. This method currently has some weaknesses that can be used to bypass firewalls by overwriting the SNI value of new TLS connections. Our investigation shows that 92% of the HTTPS websites surveyed in this paper can be accessed with a fake SNI. Our approach verifies the coherence between the real destination server and the claimed value of SNI by relying on a trusted DNS service. Experimental results show the ability to overcome the shortage of SNI-based monitoring by detecting forged SNI values while having a very small false positive rate (1.7%). The overhead of our solution only adds negligible delays to access HTTPS websites. The proposed method opens the door to improve global HTTPS monitoring and firewall systems.
Document type :
Conference papers
Complete list of metadatas

Cited literature [20 references]  Display  Hide  Download

https://hal.inria.fr/hal-01349710
Contributor : Thibault Cholez <>
Submitted on : Thursday, July 28, 2016 - 1:59:14 PM
Last modification on : Thursday, February 7, 2019 - 3:27:17 PM
Long-term archiving on : Saturday, October 29, 2016 - 10:40:14 AM

Identifiers

  • HAL Id : hal-01349710, version 1

Collections

Citation

Wazen M. Shbair, Thibault Cholez, Jérôme François, Isabelle Chrisment. Improving SNI-based HTTPS Security Monitoring. Second IEEE International Workshop on Security Testing and Monitoring, Jun 2016, Nara, Japan. pp.6. ⟨hal-01349710⟩

Share

Metrics

Record views

616

Files downloads

1426