Paper Info
Title
Improving SNI-Based HTTPS Security Monitoring
Abstract
Recent surveys show that the proportion of encrypted web traffic is quickly increasing. On one side, it provides users with essential properties of security and privacy, but on the other side, it raises important challenges and issues for organizations, related to the security monitoring of encrypted traffic (filtering, anomaly detection, etc.). This paper proposes to improve a recent technique for HTTPS traffic monitoring that is based on the Server Name Indication (SNI) field of TLS and which has been implemented in many firewall solutions. This method currently has some weaknesses that can be used to bypass firewalls by overwriting the SNI value of new TLS connections. Our investigation shows that 92% of the HTTPS websites surveyed in this paper can be accessed with fake-SNI. Our approach verifies the coherence between the real destination server and the claimed value of SNI by relying on a trusted DNS service. Experimental results show the ability to overcome the shortage of SNI-based monitoring by detecting forged SNI values while having a very small false positive rate (1.7%). The overhead of our solution only adds negligible delays to access HTTPS websites. The proposed method opens the door to improve global HTTPS monitoring and firewall systems.
Year
DOI
Venue
2016
10.1109/ICDCSW.2016.21
2016 IEEE 36th International Conference on Distributed Computing Systems Workshops (ICDCSW)
Keywords
Field
DocType
HTTPS,network monitoring,TLS,security,firewall
Anomaly detection,Web traffic,Firewall (construction),Computer security,Computer science,Server Name Indication,Computer network,Security monitoring,SNi,Encryption,Network monitoring
Conference
ISSN
ISBN
Citations 
1545-0678
978-1-5090-3687-5
0
PageRank 
References 
Authors
0.34
18
4
Name
Order
Citations
PageRank
Wazen M. Shbair1123.80
Thibault Cholez210011.89
Jérôme François317021.81
Isabelle Chrisment422525.75