Abstract

Originally, the Internet was designed to enable applications to communicate directly with one another without their data being tampered with. This is called the end-to-end principle [1]. However, network elements such as firewalls, proxies, and load balancers have violated this principle for various valid reasons such as security, performance, interoperability, and policy [2]. These elements, also known as "middleboxes" [3], have advantages, but also several problems and shortcomings. For example, they can interfere with end-to-end encryption [4], introduce new vulnerabilities [5] and limit the internet’s evolution [6]. While various approaches have been created to address these middleboxes issues [7-9], many have limitations that hinder their effectiveness and adoption. For example, some methods are too complex and difficult to manage and scale [10], while others are no longer maintained for security reasons [11]. Therefore, new approaches are needed to address these challenges and provide a more efficient, scalable, secure, and general solution. To this end, we are currently developing a modular, simple, and scalable state machine-based language and dedicated architecture to detect, identify, locate, and pinpoint vulnerabilities in the configuration or implementation of these components [12]. However, before deploying this framework, we need to design and create various test cases that can be integrated into it.

In today's era, TLS [13] has become an essential component for ensuring secure Internet transactions and protecting sensitive data over the Internet. Without it, online communications would be vulnerable to interception attacks, also known as man-in-the-middle attacks. However, even though TLS is widely used, implementation of network components may not always follow the standard or may simply use outdated versions [14].

In this project, we aim to perform the tests described in GREASE [15] to evaluate the implementation and deployment of TLS-related middleboxes. By creating these tests and integrating them into our framework, the student would greatly help us take a step towards a better and more complete tool. This work would not only benefit us, as it would provide an excellent opportunity for the student to gain hands-on experience with computer networks. It would also allow them to gain knowledge and a deeper understanding of the challenges associated with the various transparent elements of computer networks that we use today.

Reference

• [1] Saltzer, Jerome H., David P. Reed, and David D. Clark. "End-to-end arguments in system design." ACM Transactions on Computer Systems (TOCS) 2.4 (1984): 277-288.
• [2] Edeline, Korian, and Benoit Donnet. "Towards a middlebox policy taxonomy: Path impairments." 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 2015.
• [3] Carpenter, Brian, and Scott Brim. Middleboxes: Taxonomy and issues. No. rfc3234. 2002.
• [4] O'Neill, Mark, et al. "TLS proxies: Friend or foe?." Proceedings of the 2016 Internet Measurement Conference. 2016.
• [5] Jabiyev, Bahruz, et al. "T-reqs: HTTP request smuggling with differential fuzzing." Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021.
• [6] Craven, Ryan, Robert Beverly, and Mark Allman. "A middlebox-cooperative TCP for a non end-to-end Internet." ACM SIGCOMM Computer Communication Review 44.4 (2014): 151-162.
• [7] Detal, Gregory, et al. "Revealing middlebox interference with tracebox." Proceedings of the 2013 conference on Internet measurement conference. 2013
• [8] Craven, Ryan, Robert Beverly, and Mark Allman. "A middlebox-cooperative TCP for a non end-to-end Internet." ACM SIGCOMM Computer Communication Review 44.4 (2014): 151-162.
• [9] Barik, Runa, et al. "fling: A flexible ping for middlebox measurements." 2017 29th International Teletraffic Congress (ITC 29). Vol. 1. IEEE, 2017.
• [10] Vitale, Antonino, and Marc Dacier. "Inmap-t: Leveraging TTCN-3 to test the security impact of intra network elements." (2021).
• [11] Kreibich, Christian, et al. "Netalyzr: Illuminating the edge network." Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. 2010.
• [12] Benhabbour, Ilies, and Marc Dacier. "NoPASARAN: a Novel Platform to Analyse Semi Active elements in Routes Across the Network." (2022).
• [13] Dierks, Tim, and Eric Rescorla. The transport layer security (TLS) protocol version 1.2. No. rfc5246. 2008.
• [14] Qualys SSL Labs, SSL Pulse dashboard, accessed 17 March 2023, https://www.ssllabs.com/sslpulse/.
• [15] Benjamin, David. RFC 8701 Applying Generate Random Extensions And Sustain Extensibility (GREASE) to TLS Extensibility. Technical report, Internet Engineering Task Force, 2020.