Unencrypted and unauthenticated protocols present security and privacy risks to end-to-end communications. Even when services support TLS, implementation vulnerabilities threaten their security. This research project proposes an architecture called Topology-aware Network Tunnels (TNT) which minimizes insecure network paths to Internet services without their participation. We argue that if end-to-end security with a server is not available the next best thing is a secure link to a network that is close to the server and will act as a gateway. We observe that popular web destinations are clustered inside cloud networks. This enables any user to strategically establish secure tunnels to these networks and route their traffic through them. As a result adversaries not able to compromise the web service or its hosting provider are presented with encrypted and authenticated traffic instead of today's plain text. The strategic placement of network tunnels, gathering of network intelligence and routing decisions of the TNT architecture are not found in VPN services, network proxies or Tor.
Protecting Insecure Communications with Topology-aware Network Tunnels. Georgios Kontaxis, and Angelos D. Keromytis. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). October 2016, Vienna, Austria. (Acceptance rate: 16.5%) [Slides]
|In the TNT architecture an overlay of secure topology-aware tunnels is established between the client and a set of network vantage points. The number and placement of secure tunnels is strategically selected to minimize the network distance packets need to travel outside the overlay to reach their destination. Individual network packets are intelligently routed through the tunnel exiting closest to their destination. Tunnel exits within the same network as the destination of a packet (Servers A, B) eliminate the exposure of traffic to network adversaries.|