Login | Register

CDNs' Dark Side: Identifying Security Problems in CDN-to-Origin Connections


CDNs' Dark Side: Identifying Security Problems in CDN-to-Origin Connections

Behnam, Shobiri (2021) CDNs' Dark Side: Identifying Security Problems in CDN-to-Origin Connections. Masters thesis, Concordia University.

[thumbnail of Behnam_shobiri_Thesis.pdf]
Text (application/pdf)
Behnam_shobiri_Thesis.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Content Delivery Networks (CDNs) play a vital role in today's Internet ecosystem. To reduce the latency of loading a website's content, CDNs deploy edge servers in different geographic locations. CDN providers also offer important security features including protection against DoS attacks, Web Application Firewalls (WAF), and recently, issuing and managing certificates for their customers. Many popular websites use CDNs to benefit from both the security and performance advantages.

For HTTPS websites, TLS security choices may differ in the connections between end-users and a CDN (front-end or user-to-CDN), and between the CDN and the origin server (back-end or CDN-to-Origin). Modern browsers can stop/warn users if weak or insecure TLS/HTTPS options are used in the front-end connections. However, such problems in the back-end connections are not visible to browsers or end-users, and lead to serious security issues.

In this thesis, we primarily analyze TLS/HTTPS security issues in the back-end communication; such issues include inadequate certificate validation and support for vulnerable TLS configurations. We develop a test framework and investigate the back-end connection of 14 leading CDNs (including Cloudflare, Microsoft Azure, Amazon, and Fastly), where we could create an account. Surprisingly, for all the 14 CDNs, we found that the back-end TLS connections are vulnerable to security issues prevented/warned by modern browsers; examples include failing to validate the origin server's certificate, and using insecure cipher suites such as RC4, MD5, SHA-1, and even allowing plain HTTP connections to the origin. We also identified 168,795 websites in the Alexa top million that are potentially vulnerable to Man-in-the-Middle (MitM) a attacks in their back-end connections regardless of the origin/CDN configurations chosen by the origin owner.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Behnam, Shobiri
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:December 2021
Thesis Supervisor(s):Mohammad, Mannan and Amr, Youssef
ID Code:990089
Deposited By: Behnam Shobiri
Deposited On:16 Jun 2022 15:12
Last Modified:16 Jun 2022 15:12
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top