Archivio Istituzionale della RicercaThe Transport Layer Security (TLS) interceptors are applications running on client devices or on separate machines that filter TLS-protected traffic between two endpoints. They split the original TLS channel into two TLS channels and they might significantly impact the security obtained. They are increasingly used and installed by numerous end users or network administrators. It is necessary to assess X.509 certificate processing in TLS interceptors since flaws or problems in performing this task correctly and completely may weaken the client’s communication security. We define X.509-related tests, which are divided into five categories based on which part(s) of the X.509 certificate fields or extensions get analyzed. We propose a method for automatically generating wrong, malformed, or unusual X.509 certificates (and chains) and configuration files suitable for the most common web servers, like Apache or Nginx. We deploy the generated configuration files on the TLS-aware web servers in an experimental testbed set up for testing the behavior of four selected TLS interceptors, two antivirus, and two proxy applications running on different operating systems. We report the results obtained, underlining the need to test in-depth such applications so that they would not decrease the security levels achieved by the clients.
On the Evaluation of X.509 Certificate Processing in Transport Layer Security Interceptors / Berbecaru, Diana Gratiela; Sisinni, Silvia; Simone, Matteo. - ELETTRONICO. - (2024), pp. 1-6. (Intervento presentato al convegno 2024 IEEE Symposium on Computers and Communications (ISCC) tenutosi a Paris (FRA) nel 26 - 29 June 2024) [10.1109/ISCC61673.2024.10733685].
On the Evaluation of X.509 Certificate Processing in Transport Layer Security Interceptors
Berbecaru,Diana Gratiela;Sisinni,Silvia;
2024
Abstract
The Transport Layer Security (TLS) interceptors are applications running on client devices or on separate machines that filter TLS-protected traffic between two endpoints. They split the original TLS channel into two TLS channels and they might significantly impact the security obtained. They are increasingly used and installed by numerous end users or network administrators. It is necessary to assess X.509 certificate processing in TLS interceptors since flaws or problems in performing this task correctly and completely may weaken the client’s communication security. We define X.509-related tests, which are divided into five categories based on which part(s) of the X.509 certificate fields or extensions get analyzed. We propose a method for automatically generating wrong, malformed, or unusual X.509 certificates (and chains) and configuration files suitable for the most common web servers, like Apache or Nginx. We deploy the generated configuration files on the TLS-aware web servers in an experimental testbed set up for testing the behavior of four selected TLS interceptors, two antivirus, and two proxy applications running on different operating systems. We report the results obtained, underlining the need to test in-depth such applications so that they would not decrease the security levels achieved by the clients.
| File | Dimensione | Formato | |
|---|---|---|---|
|
On_the_evaluation_of_X.509_certificate_processing_in_Transport_Layer_Security_interceptors.pdf
non disponibili
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Non Pubblico - Accesso privato/ristretto
Dimensione
179.86 kB
Formato
Adobe PDF
|
179.86 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2991441