Efficiently Bypassing SNI-based HTTPS Filtering

International audienceEncrypted Internet traffic is an essential element to enable security and privacy in the Internet. Surveys show that websites are more and more being served over HTTPS. They highlight an increase of 48% of sites using TLS over the past year, justifying the tendency that the Web is going to be encrypted. This motivates the development of new tools and methods to monitor and filter HTTPS traffic. This paper handles the latest technique for HTTPS traffic filtering that is based on the Server Name Indication (SNI) field of TLS and which has been recently implemented in many firewall solutions. Our main contribution is an evaluation of the reliability of this SNI extension for properly identifying and filtering HTTPS traffic. We show that SNI has two weaknesses, regarding (1) backward compatibility and (2) multiple services using a single certificate. We demonstrate thanks to a web browser plug-in called " Escape " that we designed and implemented, how these weaknesses can be practically used to bypass firewalls and monitoring systems relying on SNI. The results show positive evaluation (firewall's rules successfully bypassed) for all tested websites

Bypassing Content-based internet packages with an SSL/TLS Tunnel, SNI Spoofing, and DNS spoofing

Internet Service Providers (ISPs) are increasingly offering content-based packages to their clients. These packages offer access to a range of online content, such as Facebook, YouTube, Messenger, Zoom, and many other popular services, for a fixed price. This allows users to access all the content they want without worrying about data caps or overage charges. These packages are way cheaper than regular internet packages. Even some ISPs offer unlimited content-based packages for a low price. When using these packages, network traffic is continuously filtered by the ISP, and the user will be charged separately for using other services which are not included in the content-based package. Some internet users are using HTTP injector Software to bypass ISP's Network traffic filters and access other resources available on the internet using content-based package data quotes. This research aims to find an alternative method to bypass ISP's Network traffic filters without using an HTTP injector

A Multi-Level Framework to Identify HTTPS Services

International audienceThe development of TLS-based encrypted traffic comes with new challenges related to the management and security analysis of encrypted traffic. There is an essential need for new methods to investigate, with a proper level of identification, the increasing number of HTTPS traffic that may hold security breaches. In fact, although many approaches detect the type of an application (Web, P2P, SSH, etc.) running in secure tunnels, and others identify a couple of specific encrypted web pages through website fingerprinting, this paper proposes a robust technique to precisely identify the services run within HTTPS connections, i.e. to name the services, without relying on specific header fields that can be easily altered. We have defined dedicated features for HTTPS traffic that are used as input for a multi-level identification framework based on machine learning algorithms. Our evaluation based on real traffic shows that we can identify encrypted web services with a high accuracy

How India Censors the Web

One of the primary ways in which India engages in online censorship is by ordering Internet Service Providers (ISPs) operating in its jurisdiction to block access to certain websites for its users. This paper reports the different techniques Indian ISPs are using to censor websites, and investigates whether website blocklists are consistent across ISPs. We propose a suite of tests that prove more robust than previous work in detecting DNS and HTTP based censorship. Our tests also discern the use of SNI inspection for blocking websites, which is previously undocumented in the Indian context. Using information from court orders, user reports, and public and leaked government orders, we compile the largest known list of potentially blocked websites in India. We pass this list to our tests and run them from connections of six different ISPs, which together serve more than 98% of Internet users in India. Our findings not only confirm that ISPs are using different techniques to block websites, but also demonstrate that different ISPs are not blocking the same websites

Improving SNI-based HTTPS Security Monitoring

International audienceRecent surveys show that the proportion of encrypted web traffic is quickly increasing. On one side, it provides users with essential properties of security and privacy, but on the other side, it raises important challenges and issues for organizations, related to the security monitoring of encrypted traffic (filtering, anomaly detection, etc.). This paper proposes to improve a recent technique for HTTPS traffic monitoring that is based on the Server Name Indication (SNI) field of TLS and which has been implemented in many firewall solutions. This method currently has some weaknesses that can be used to bypass firewalls by overwriting the SNI value of new TLS connections. Our investigation shows that 92% of the HTTPS websites surveyed in this paper can be accessed with a fake SNI. Our approach verifies the coherence between the real destination server and the claimed value of SNI by relying on a trusted DNS service. Experimental results show the ability to overcome the shortage of SNI-based monitoring by detecting forged SNI values while having a very small false positive rate (1.7%). The overhead of our solution only adds negligible delays to access HTTPS websites. The proposed method opens the door to improve global HTTPS monitoring and firewall systems

Attention-based bidirectional GRU networks for efficient HTTPS traffic classification

This is the author accepted manuscript. The final version is available from the publisher via the DOI in this recordDistributed and pervasive web services have become a major platform for sharing information. However, the hypertext transfer protocol secure (HTTPS), which is a crucial web encryption technology for protecting the information security of users, creates a supervisory burden for network management (e.g., quality-of-service guarantees and traffic engineering). Identifying various types of encrypted traffic is crucial for cyber security and network management. In this paper, we propose a novel deep learning model called BGRUA to identify the web services running on HTTPS connections accurately. BGRUA utilizes a bidirectional gated recurrent unit (GRU) and attention mechanism to improve the accuracy of HTTPS traffic classification. The bidirectional GRU is used to extract the forward and backward features of the byte sequences in a session. The attention mechanism is adopted to assign weights to features according to their contributions to classification. Additionally, we investigate the effects of different hyperparameters on the performance of BGRUA and present a set of optimal values that can serve as a basis for future relevant studies. Comparisons to existing methods based on three typical datasets demonstrate that BGRUA outperforms state-of-the-art encrypted traffic classification approaches in terms of accuracy, precision, recall, and F1-score