This is the final paper from the inaugural Research for Practice selections, and the third of Justine Sherry’s three picks. The fundamental problem addressed is the same as we looked at yesterday: how do you accommodate middleboxes in HTTPS traffic? More specifically, this paper looks at deep packet inspection (DPI) network functions as used for intrusion detection and prevention (IDS/IPS). Sherry et al. have a more evocative way to describe the state-of-the-practice Split TLS solution than yesterday’s paper authors:
To enable middlebox processing, some currently deployed middlebox system support HTTPS in an insecure way: they mount a man-in-the-middle attack on SSL and decrypt the traffic at the middlebox. This approach violates the end-to-end security guarantees of SSL and thus cause an unfortunate set of issues as surveyed in Jeff Jarmoc’s SSL/TLS Interception Proxies and Transitive Trust talk at Black Hat Europe 2012.