Nonintrusive SSL/TLS proxy technique with JSON-based policy / Suhairi Mohd Jawi @ Said

Certificate and SSL/TLS connections are two security aspects needs to be handled simultaneously in HTTPS. Some previous studies focused more on trust relationship in certificates whereas the properties of SSL/TLS connections were more prevalent in SSL/TLS surveys. Thus, this study proposes a non-intrusive proxy technique that merges this gap. The first part of this study discusses the components of the proposed proxy which handles two categories of attributes classified as static or dynamic. These attributes are compared against a set of policies written in JavaScript Object Notation (JSON). Second part of this study considers the practical implementation of this proxy for monitoring both SSL/TLS certificates and-connection properties in between web browsers and SSL/TLS web server. It moderates the ongoing and subsequent SSL/TLS sessions from clients that proxy serves. This proxy can be considered as a localized notary with single path probing as compared to other notary services which use the concept of multipath probing via multiple network vantage points. Benefit of this work will be demonstrated as a simpler implementation for clients who have no effective means to authenticate and secure HTTPS connection except provided by the browser. The proxy successfully detects and warns some well-known issues regarding SSL/TLS although it may miss some SSL/TLS issues that require intensive and time consuming analysis such provided by Qualys' SSL Server Test.