A survey and analysis of TLS interception mechanisms and motivations
Authors:
Xavier de Carné de Carnavalet,
Paul C. van Oorschot
Abstract:
TLS is an end-to-end protocol designed to provide confidentiality and integrity guarantees that improve end-user security and privacy. While TLS helps defend against pervasive surveillance of intercepted unencrypted traffic, it also hinders several common beneficial operations typically performed by middleboxes on the network traffic. Consequently, various methods have been proposed that "bypass"…
▽ More
TLS is an end-to-end protocol designed to provide confidentiality and integrity guarantees that improve end-user security and privacy. While TLS helps defend against pervasive surveillance of intercepted unencrypted traffic, it also hinders several common beneficial operations typically performed by middleboxes on the network traffic. Consequently, various methods have been proposed that "bypass" the confidentiality goals of TLS by playing with keys and certificates essentially in a man-in-the-middle solution, as well as new proposals that extend the protocol to accommodate third parties, delegation schemes to trusted middleboxes, and fine-grained control and verification mechanisms. We first review the use cases expecting plain HTTP traffic and discuss the extent to which TLS hinders these operations. We retain 19 scenarios where access to unencrypted traffic is still relevant and evaluate the incentives of the stakeholders involved. Second, we survey 30 schemes by which TLS no longer delivers end-to-end security, and by which the notion of an "end" changes, including caching middleboxes such as Content Delivery Networks. Finally, we compare each scheme based on deployability and security characteristics, and evaluate their compatibility with the stakeholders' incentives. Our analysis leads to a number of key findings, observations, and research questions that we believe will be of interest to practitioners, policy makers and researchers.
△ Less
Submitted 27 December, 2022; v1 submitted 30 October, 2020;
originally announced October 2020.
Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case
Authors:
Xavier de Carné de Carnavalet,
Mohammad Mannan
Abstract:
Comprehensive case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, and ransomware. However, adware seldom receives such attention. Previous studies on "unwanted" Windows applications, including adware, favored breadth of analysis, uncovering ties between different actors and d…
▽ More
Comprehensive case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, and ransomware. However, adware seldom receives such attention. Previous studies on "unwanted" Windows applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. In this paper, we demonstrate the capabilities, privacy and security risks, and prevalence of a particularly successful and active adware business: Wajam, by tracking its evolution over nearly six years. We first study its multi-layer antivirus evasion capabilities, a combination of known and newly adapted techniques, that ensure low detection rates of its daily variants, along with prominent features, e.g., traffic interception and browser process injection. Then, we look at the privacy and security implications for infected users, including plaintext leaks of browser histories and keyword searches on highly popular websites, along with arbitrary content injection on HTTPS webpages and remote code execution vulnerabilities. Finally, we study Wajam's prevalence through the popularity of its domains. Once considered as seriously as spyware, adware is now merely called "not-a-virus", "optional" or "unwanted" although its negative impact is growing. We emphasize that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity and impact of regular malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.
△ Less
Submitted 17 May, 2019; v1 submitted 13 May, 2019;
originally announced May 2019.