Love All, Trust Few: on Trusting Intermediaries in HTTP

Abstract

Recent pervasive monitoring of Internet traffic has resulted in an effort to protect all communications by using Transport Layer Security (TLS) to thwart malicious third parties. We argue that such large-scale use of TLS may potentially disrupt many useful network-based services provided by middleboxes such as content caching, web acceleration, anti-malware scanning and traffic shaping when faced with congestion. As the use of Internet grows to include devices with varying resources and capabilities, and access networks with differing link characteristics, the prevalent two-party TLS model may prove restrictive. We present EFGH, a pluggable TLS extension that allows a trusted third-party to be introduced in the two-party model without affecting the underlying end-to-end security of the channel. The extension stresses the end-to-end trust relationship integrity by allowing selective exposure of the exchanged data to trusted middleboxes.