Section: New Results

A Cryptographic Analysis of Content Delivery of TLS

Participants : Karthikeyan Bhargavan, Ioana Boureanu [University of Surrey] , Pierre-Alain Fouque [University of Rennes 1/IRISA] , Cristina Onete [University of Rennes 1/IRISA] , Benjamin Richard [Orange Labs Chatillon] .

The Transport Layer Security (TLS) protocol is designed to allow two parties, a client and a server, to communicate securely over an insecure network. However, when TLS connections are proxied through an intermediate middlebox, like a Content Delivery Network (CDN), the standard end-to-end security guarantees of the protocol no longer apply.

As part of the SafeTLS project, we investigated the security guarantees provided by Keyless SSL, a CDN architecture currently deployed by CloudFlare that composes two TLS 1.2 handshakes to obtain a proxied TLS connection. We demonstrated new attacks that show that Keyless SSL does not meet its intended security goals. We argued that proxied TLS handshakes require a new, stronger, 3-party security definition, and we presented one.

We modified Keyless SSL and proved that our modifications guarantee this notion of security. Notably, we showed that secure proxying in TLS 1.3 is computationally lighter and requires simpler assumptions on the certificate infrastructure than our proposed fix for Keyless SSL. Our results indicate that proxied TLS architectures, as currently used by a number of CDNs, may be vulnerable to subtle attacks and deserve close attention [39].