Abstract

Over the past few years, technology firms have inlined end-to-end encryption for their services and implored for increased in-network functionality. Most firms deploy TLS and middleboxes by performing man-in-the-middle (MITM) of network sessions. In practice, there are no official guidelines for performing MITM and often several tweaks are used resulting in less secure systems. TLS was designed for exactly two parties and introducing a third party by doing MITM breaks TLS and the security benefits it offers.
With increasing debate in finding a clean way to deploy middleboxes with TLS, our work surveys the literature and introduces a benchmark based on the Usability-Deployability-Security (UDS) framework for evaluating existing TLS middlebox interception proposals. Our benchmark encompasses and helps understand the current benefits, solutions and challenges in the existing solutions for incorporating TLS with middleboxes. We perform a comparative and qualitative evaluation for the schemes and summarize the results in a single table. We propose: Triraksha, an alternative to the currently deployed middlebox interception models. Triraksha provides a packet inspection service for end-to-end encrypted connections while maintaining fine-grained confidentiality for end points. We evaluate a prototype implementation of our scheme on local and remote servers and show that the overhead in terms of latency and throughput is minimal. Our scheme is easily deployable as only a few software additions are made at the middlebox and client end.