{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,16]],"date-time":"2025-12-16T12:32:26Z","timestamp":1765888346150,"version":"3.41.0"},"reference-count":58,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2020,5,29]],"date-time":"2020-05-29T00:00:00Z","timestamp":1590710400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000038","name":"NSERC","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2020,6,30]]},"abstract":"<jats:p>\n            Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons for doing so are primarily related to improving enterprise security (e.g., phishing and malicious traffic detection) and meeting legal requirements (e.g., preventing unauthorized data leakage and copyright violations). To analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle (MITM) TLS proxy by acting as the intended web server to a requesting client (e.g., a browser) and acting as the client to the actual\/outside web server. As such, the TLS proxy must implement both a TLS client and a server and handle a large amount of traffic, preferably in real-time. However, as protocol and implementation layer vulnerabilities in TLS\/HTTPS are quite frequent, these proxies must be at least as secure as a modern, up-to-date web browser and a properly configured web server (e.g., an A+ rating in SSLlabs.com). As opposed to client-end TLS proxies (e.g., as in several anti-virus products), the proxies in network appliances may serve hundreds to thousands of clients, and\n            <jats:italic>any<\/jats:italic>\n            vulnerability in their TLS implementations can significantly downgrade enterprise security.\n          <\/jats:p>\n          <jats:p>To analyze TLS security of network appliances, we develop a comprehensive framework, combining and extending tests from existing work on client-end and network-based interception studies. We analyze 13 representative network appliances over a period of more than a year (including versions before and after notifying affected vendors, a total of 17 versions) and uncover several security issues. For instance, we found that four appliances perform no certificate validation at all, three use pre-generated certificates, and eleven accept certificates signed using MD5, exposing their clients to MITM attacks. Our goal is to highlight the risks introduced by widely used TLS proxies in enterprise and government environments, potentially affecting many systems hosting security, privacy, and financially sensitive data.<\/jats:p>","DOI":"10.1145\/3372802","type":"journal-article","created":{"date-parts":[[2020,5,30]],"date-time":"2020-05-30T04:22:42Z","timestamp":1590812562000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["The Sorry State of TLS Security in Enterprise Interception Appliances"],"prefix":"10.1145","volume":"1","author":[{"given":"Louis","family":"Waked","sequence":"first","affiliation":[{"name":"Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9630-5858","authenticated-orcid":false,"given":"Mohammad","family":"Mannan","sequence":"additional","affiliation":[{"name":"Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada"}]},{"given":"Amr","family":"Youssef","sequence":"additional","affiliation":[{"name":"Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada"}]}],"member":"320","published-online":{"date-parts":[[2020,5,29]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"X. Su. 2017. BEAST attack 1\/n-1 split patch. Retrieved from https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id&equals;665814#c59.  X. Su. 2017. BEAST attack 1\/n-1 split patch. Retrieved from https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id&equals;665814#c59."},{"key":"e_1_2_1_2_1","unstructured":"2018. CacheGuard OS user\u2019s guide - SSL mediation. Retrieved from https:\/\/www.cacheguard.net\/doc\/guide\/ssl_mediation.html.  2018. CacheGuard OS user\u2019s guide - SSL mediation. Retrieved from https:\/\/www.cacheguard.net\/doc\/guide\/ssl_mediation.html."},{"key":"e_1_2_1_3_1","unstructured":"Cisco. 2020. Cisco WSA AsyncOS documentation. Retrieved from https:\/\/www.cisco.com\/c\/en\/us\/products\/security\/email-security-appliance\/asyncos_index.html.  Cisco. 2020. Cisco WSA AsyncOS documentation. Retrieved from https:\/\/www.cisco.com\/c\/en\/us\/products\/security\/email-security-appliance\/asyncos_index.html."},{"key":"e_1_2_1_4_1","unstructured":"GitHub. 2018. Curl\u2019s mk-ca-bundle.pl. Retrieved from https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/mk-ca-bundle.pl.  GitHub. 2018. Curl\u2019s mk-ca-bundle.pl. Retrieved from https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/mk-ca-bundle.pl."},{"key":"e_1_2_1_5_1","unstructured":"C. Wisniewski. 2011. DigiNotar CA breach. Retrieved from https:\/\/nakedsecurity.sophos.com\/2011\/09\/05\/operation-black-tulip-fox-its-report-on-the-diginotar-breach\/.  C. Wisniewski. 2011. DigiNotar CA breach. Retrieved from https:\/\/nakedsecurity.sophos.com\/2011\/09\/05\/operation-black-tulip-fox-its-report-on-the-diginotar-breach\/."},{"key":"e_1_2_1_6_1","unstructured":"K. Wilson. 2015. Distrusting new CNNIC certificates. Retrieved from https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/.  K. Wilson. 2015. Distrusting new CNNIC certificates. Retrieved from https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/."},{"key":"e_1_2_1_7_1","unstructured":"K. Wilson. 2016. Distrusting new WoSign and StartCom certificates. Retrieved from https:\/\/blog.mozilla.org\/security\/2016\/10\/24\/distrusting-new-wosign-and-startcom-certificates\/.  K. Wilson. 2016. Distrusting new WoSign and StartCom certificates. Retrieved from https:\/\/blog.mozilla.org\/security\/2016\/10\/24\/distrusting-new-wosign-and-startcom-certificates\/."},{"key":"e_1_2_1_8_1","unstructured":"W. Dormann. 2017. Effects of HTTPS and SSL inspection on the client. Retrieved from https:\/\/vuls.cert.org\/confluence\/display\/Wiki\/Effects+of+HTTPS+and+SSL+inspection+on+the+client.  W. Dormann. 2017. Effects of HTTPS and SSL inspection on the client. Retrieved from https:\/\/vuls.cert.org\/confluence\/display\/Wiki\/Effects+of+HTTPS+and+SSL+inspection+on+the+client."},{"key":"e_1_2_1_9_1","unstructured":"Extended validation OID. 2020. Retrieved from https:\/\/cabforum.org\/object-registry\/.  Extended validation OID. 2020. Retrieved from https:\/\/cabforum.org\/object-registry\/."},{"key":"e_1_2_1_10_1","unstructured":"Gibson Research Corporation. 2014. GRC certificate validation revoked test. Retrieved from https:\/\/revoked.grc.com\/.  Gibson Research Corporation. 2014. GRC certificate validation revoked test. Retrieved from https:\/\/revoked.grc.com\/."},{"key":"e_1_2_1_11_1","unstructured":"GitHub. 2014. Heartleech. Retrieved from https:\/\/github.com\/robertdavidgraham\/heartleech.  GitHub. 2014. Heartleech. Retrieved from https:\/\/github.com\/robertdavidgraham\/heartleech."},{"key":"e_1_2_1_12_1","unstructured":"GitHub. 2020. Howsmyssl. Retrieved from https:\/\/github.com\/jmhodges\/howsmyssl.  GitHub. 2020. Howsmyssl. Retrieved from https:\/\/github.com\/jmhodges\/howsmyssl."},{"key":"e_1_2_1_13_1","unstructured":"S. Rosenblatt. 2015. Lenovo\u2019s superfish security. Retrieved from https:\/\/www.cnet.com\/news\/superfish-torments-lenovo-owners-with-more-than-adware\/.  S. Rosenblatt. 2015. Lenovo\u2019s superfish security. Retrieved from https:\/\/www.cnet.com\/news\/superfish-torments-lenovo-owners-with-more-than-adware\/."},{"key":"e_1_2_1_14_1","unstructured":"P. Lindstr\u00f6m and O. Pap. 2017. Mapping the current state of SSL\/TLS - Thesis. Link\u00f6ping University.  P. Lindstr\u00f6m and O. Pap. 2017. Mapping the current state of SSL\/TLS - Thesis. Link\u00f6ping University."},{"key":"e_1_2_1_15_1","volume-title":"Microsoft TMG 2010 updates.","author":"Abluton K.","year":"2011","unstructured":"K. Abluton . 2011 . Microsoft TMG 2010 updates. Retrieved from https:\/\/blogs.technet.microsoft.com\/keithab\/2011\/09\/27\/forefront-tmg-2010-service-pack-rollup-and-version-number-reference\/. K. Abluton. 2011. Microsoft TMG 2010 updates. Retrieved from https:\/\/blogs.technet.microsoft.com\/keithab\/2011\/09\/27\/forefront-tmg-2010-service-pack-rollup-and-version-number-reference\/."},{"key":"e_1_2_1_16_1","unstructured":"Microsoft. 2019. Microsoft TMG supported OS version. Retrieved from https:\/\/www.microsoft.com\/en-ca\/download\/details.aspx?id&equals;14238.  Microsoft. 2019. Microsoft TMG supported OS version. Retrieved from https:\/\/www.microsoft.com\/en-ca\/download\/details.aspx?id&equals;14238."},{"key":"e_1_2_1_17_1","unstructured":"Microsoft. 2017. Microsoft trusted root certificate program. Retrieved from https:\/\/gallery.technet.microsoft.com\/Trusted-Root-Certificate-123665ca.  Microsoft. 2017. Microsoft trusted root certificate program. Retrieved from https:\/\/gallery.technet.microsoft.com\/Trusted-Root-Certificate-123665ca."},{"key":"e_1_2_1_18_1","unstructured":"GitHub. 2020. Mimikatz. Retrieved from https:\/\/github.com\/gentilkiwi\/mimikatz.  GitHub. 2020. Mimikatz. Retrieved from https:\/\/github.com\/gentilkiwi\/mimikatz."},{"volume-title":"certdata.txt","key":"e_1_2_1_19_1","unstructured":"Mozilla. 2017. Mozilla\u2019s \u201c certdata.txt \u201d file. Retrieved from https:\/\/hg.mozilla.org\/mozilla-central\/raw-file\/tip\/security\/nss\/lib\/ckfw\/builtins\/certdata.txt. Mozilla. 2017. Mozilla\u2019s \u201ccertdata.txt\u201d file. Retrieved from https:\/\/hg.mozilla.org\/mozilla-central\/raw-file\/tip\/security\/nss\/lib\/ckfw\/builtins\/certdata.txt."},{"key":"e_1_2_1_20_1","unstructured":"A. Langley. 2013. Revoking ANSSI CA. Retrieved from https:\/\/security.googleblog.com\/2013\/12\/further-improving-digital-certificate.html.  A. Langley. 2013. Revoking ANSSI CA. Retrieved from https:\/\/security.googleblog.com\/2013\/12\/further-improving-digital-certificate.html."},{"key":"e_1_2_1_21_1","unstructured":"W. Dormann. 2015. The risks of SSL inspection. Retrieved from https:\/\/insights.sei.cmu.edu\/cert\/2015\/03\/the-risks-of-ssl-inspection.html.  W. Dormann. 2015. The risks of SSL inspection. Retrieved from https:\/\/insights.sei.cmu.edu\/cert\/2015\/03\/the-risks-of-ssl-inspection.html."},{"key":"e_1_2_1_22_1","unstructured":"Squid. 2020. SSL Bump configuration. Retrieved from http:\/\/www.squid-cache.org\/Doc\/config\/ssl_bump\/.  Squid. 2020. SSL Bump configuration. Retrieved from http:\/\/www.squid-cache.org\/Doc\/config\/ssl_bump\/."},{"key":"e_1_2_1_23_1","unstructured":"Qualys Inc. 2020. SSL client test. Retrieved from https:\/\/www.ssllabs.com\/ssltest\/viewMyClient.html.  Qualys Inc. 2020. SSL client test. Retrieved from https:\/\/www.ssllabs.com\/ssltest\/viewMyClient.html."},{"key":"e_1_2_1_24_1","unstructured":"P. Ducklin. 2013. The T\u00dcRKTRUST SSL certificate fiasco. Retrieved from https:\/\/nakedsecurity.sophos.com\/2013\/01\/08\/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next\/.  P. Ducklin. 2013. The T\u00dcRKTRUST SSL certificate fiasco. Retrieved from https:\/\/nakedsecurity.sophos.com\/2013\/01\/08\/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next\/."},{"key":"e_1_2_1_25_1","unstructured":"UFS. 2020. Linux Kernel archives. Retrieved from https:\/\/www.kernel.org\/doc\/Documentation\/filesystems\/ufs.txt.  UFS. 2020. Linux Kernel archives. Retrieved from https:\/\/www.kernel.org\/doc\/Documentation\/filesystems\/ufs.txt."},{"key":"e_1_2_1_26_1","unstructured":"Untangle. 2020. Untangle SSL inspector documentation. Retrieved from https:\/\/wiki.untangle.com\/index.php\/SSL_Inspector#Trust_All_Server_Certificates.  Untangle. 2020. Untangle SSL inspector documentation. Retrieved from https:\/\/wiki.untangle.com\/index.php\/SSL_Inspector#Trust_All_Server_Certificates."},{"key":"e_1_2_1_27_1","unstructured":"Debian System Manager\u2019s Manual. 2017. Retrieved from https:\/\/manpages.debian.org\/jessie\/ca-certificates\/update-ca-certificates.8.en.html.  Debian System Manager\u2019s Manual. 2017. Retrieved from https:\/\/manpages.debian.org\/jessie\/ca-certificates\/update-ca-certificates.8.en.html."},{"key":"e_1_2_1_28_1","unstructured":"US Department of Homeland Security. 2017. US-CERT alert on HTTPS interception. Retrieved from https:\/\/www.us-cert.gov\/ncas\/alerts\/TA17-075A.  US Department of Homeland Security. 2017. US-CERT alert on HTTPS interception. Retrieved from https:\/\/www.us-cert.gov\/ncas\/alerts\/TA17-075A."},{"key":"e_1_2_1_29_1","unstructured":"Volatility. 2018. Retrieved from http:\/\/www.volatilityfoundation.org\/26.  Volatility. 2018. Retrieved from http:\/\/www.volatilityfoundation.org\/26."},{"key":"e_1_2_1_30_1","unstructured":"N. Wienholt. 2017. Windows cryptography API (CNG). Retrieved from https:\/\/www.codeguru.com\/cpp\/w-p\/vista\/article.php\/c13813\/Windows-Cryptography-API-Next-Generation-CNG.htm.  N. Wienholt. 2017. Windows cryptography API (CNG). Retrieved from https:\/\/www.codeguru.com\/cpp\/w-p\/vista\/article.php\/c13813\/Windows-Cryptography-API-Next-Generation-CNG.htm."},{"key":"e_1_2_1_31_1","unstructured":"GitHub. 2020. ZMap. Retrieved from https:\/\/github.com\/zmap\/zmap.  GitHub. 2020. ZMap. Retrieved from https:\/\/github.com\/zmap\/zmap."},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201915)","author":"Adrian D.","year":"2015","unstructured":"D. Adrian , K. Bhargavan , Z. Durumeric , P. Gaudry , M. Green , J. A. Halderman , N. Heninger , D. Springall , E. Thom\u00e9 , L. Valenta , 2015 . Imperfect forward secrecy: How Diffie-Hellman fails in practice . In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201915) . D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thom\u00e9, L. Valenta, et al. 2015. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201915)."},{"key":"e_1_2_1_33_1","first-page":"131A","article-title":"2015. NIST recommendations","volume":"800","author":"Barker E.","year":"2015","unstructured":"E. Barker and A. Roginsky . 2015. NIST recommendations . NIST Spec. Public. 800 , 131A ( 2015 ), 1--29. E. Barker and A. Roginsky. 2015. NIST recommendations. NIST Spec. Public. 800, 131A (2015), 1--29.","journal-title":"NIST Spec. Public."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","author":"Beurdouche B.","key":"e_1_2_1_34_1","unstructured":"B. Beurdouche , K. Bhargavan , A. Delignat-Lavaud , C. Fournet , M. Kohlweiss , A. Pironti , P.-Y. Strub , and J. K. Zinzindohoue . 2015. A messy state of the union: Taming the composite state machines of TLS . In Proceedings of the IEEE Symposium on Security and Privacy. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. 2015. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of the IEEE Symposium on Security and Privacy."},{"volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201916)","author":"Bhargavan K.","key":"e_1_2_1_35_1","unstructured":"K. Bhargavan and G. Leurent . 2016. On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN . In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201916) . K. Bhargavan and G. Leurent. 2016. On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201916)."},{"key":"e_1_2_1_36_1","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1007\/s00145-013-9162-9","article-title":"2015. New attacks on IDEA with at least 6 rounds","volume":"28","author":"Biham E.","year":"2015","unstructured":"E. Biham , O. Dunkelman , N. Keller , and A. Shamir . 2015. New attacks on IDEA with at least 6 rounds . J. Cryptol. 28 , 2 ( 2015 ), 209--239. E. Biham, O. Dunkelman, N. Keller, and A. Shamir. 2015. New attacks on IDEA with at least 6 rounds. J. Cryptol. 28, 2 (2015), 209--239.","journal-title":"J. Cryptol."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 114--129","author":"Brubaker C.","key":"e_1_2_1_37_1","unstructured":"C. Brubaker , S. Jana , B. Ray , S. Khurshid , and V. Shmatikov . 2014. Using Frankencerts for automated adversarial testing of certificate validation in SSL\/TLS implementations . In Proceedings of the IEEE Symposium on Security and Privacy. 114--129 . C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov. 2014. Using Frankencerts for automated adversarial testing of certificate validation in SSL\/TLS implementations. In Proceedings of the IEEE Symposium on Security and Privacy. 114--129."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","author":"Chau S. Y.","key":"e_1_2_1_38_1","unstructured":"S. Y. Chau , O. Chowdhury , E. Hoque , H. Ge , A. Kate , C. Nita-Rotaru , and N. Li . 2017. SymCerts: Practical symbolic execution for exposing noncompliance in X.509 certificate validation implementations . In Proceedings of the IEEE Symposium on Security and Privacy. S. Y. Chau, O. Chowdhury, E. Hoque, H. Ge, A. Kate, C. Nita-Rotaru, and N. Li. 2017. SymCerts: Practical symbolic execution for exposing noncompliance in X.509 certificate validation implementations. In Proceedings of the IEEE Symposium on Security and Privacy."},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916)","author":"Carn\u00e9 de Carnavalet X.","key":"e_1_2_1_39_1","unstructured":"X. de Carn\u00e9 de Carnavalet and M. Mannan . 2016. Killed by proxy: Analyzing client-end TLS interception software . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916) . X. de Carn\u00e9 de Carnavalet and M. Mannan. 2016. Killed by proxy: Analyzing client-end TLS interception software. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916)."},{"key":"e_1_2_1_40_1","unstructured":"T. Duong and J. Rizzo. 2011. Here Come the &oplus; Ninjas. Unpublished Manuscript. Retrieved from https:\/\/nerdoholic.org\/uploads\/dergln\/beast_part2\/ssl_jun21.pdf.  T. Duong and J. Rizzo. 2011. Here Come the &oplus; Ninjas. Unpublished Manuscript. Retrieved from https:\/\/nerdoholic.org\/uploads\/dergln\/beast_part2\/ssl_jun21.pdf."},{"volume-title":"Proceedings of the Ekoparty Security Conference.","author":"Duong T.","key":"e_1_2_1_41_1","unstructured":"T. Duong and J. Rizzo . 2012. The CRIME attack . Proceedings of the Ekoparty Security Conference. T. Duong and J. Rizzo. 2012. The CRIME attack. Proceedings of the Ekoparty Security Conference."},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201917)","author":"Durumeric Z.","key":"e_1_2_1_42_1","unstructured":"Z. Durumeric , Z. Ma , D. Springall , R. Barnes , N. Sullivan , E. Bursztein , M. Bailey , J. A. Halderman , and V. Paxson . 2017. The security impact of HTTPS interception . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201917) . Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. A. Halderman, and V. Paxson. 2017. The security impact of HTTPS interception. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201917)."},{"volume-title":"Proceedings of the ACM Conference on Computer and Communications Security. 50--61","author":"Fahl S.","key":"e_1_2_1_43_1","unstructured":"S. Fahl , M. Harbach , T. Muders , L. Baumg\u00e4rtner , B. Freisleben , and M. Smith . 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in)security . In Proceedings of the ACM Conference on Computer and Communications Security. 50--61 . S. Fahl, M. Harbach, T. Muders, L. Baumg\u00e4rtner, B. Freisleben, and M. Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the ACM Conference on Computer and Communications Security. 50--61."},{"volume-title":"Proceedings of the ACM Conference on Computer and Communications Security. 38--49","author":"Georgiev M.","key":"e_1_2_1_44_1","unstructured":"M. Georgiev , S. Iyengar , S. Jana , R. Anubhai , D. Boneh , and V. Shmatikov . 2012. The most dangerous code in the world: Validating SSL certificates in non-browser software . In Proceedings of the ACM Conference on Computer and Communications Security. 38--49 . M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. 2012. The most dangerous code in the world: Validating SSL certificates in non-browser software. In Proceedings of the ACM Conference on Computer and Communications Security. 38--49."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","author":"He B.","key":"e_1_2_1_45_1","unstructured":"B. He , V. Rastogi , Y. Cao , Y. Chen , V. Venkatakrishnan , R. Yang , and Z. Zhang . 2015. Vetting SSL usage in applications with SSLint . In Proceedings of the IEEE Symposium on Security and Privacy. B. He, V. Rastogi, Y. Cao, Y. Chen, V. Venkatakrishnan, R. Yang, and Z. Zhang. 2015. Vetting SSL usage in applications with SSLint. In Proceedings of the IEEE Symposium on Security and Privacy."},{"key":"e_1_2_1_46_1","unstructured":"R. Housley W. Ford W. Polk and D. Solo. 2008. RFC 5280: Internet x.509 public key infrastructure certificate and CRL profile May 2008. https:\/\/tools.ietf.org\/html\/rfc5280.  R. Housley W. Ford W. Polk and D. Solo. 2008. RFC 5280: Internet x.509 public key infrastructure certificate and CRL profile May 2008. https:\/\/tools.ietf.org\/html\/rfc5280."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","author":"Huang L. S.","key":"e_1_2_1_47_1","unstructured":"L. S. Huang , A. Rice , E. Ellingsen , and C. Jackson . 2014. Analyzing forged SSL certificates in the wild . In Proceedings of the IEEE Symposium on Security and Privacy. L. S. Huang, A. Rice, E. Ellingsen, and C. Jackson. 2014. Analyzing forged SSL certificates in the wild. In Proceedings of the IEEE Symposium on Security and Privacy."},{"key":"e_1_2_1_48_1","volume-title":"Proceedings of the Black Hat Europe Conference.","author":"Jarmoc J.","year":"2012","unstructured":"J. Jarmoc . 2012 . SSL\/TLS interception proxies and transitive trust . In Proceedings of the Black Hat Europe Conference. J. Jarmoc. 2012. SSL\/TLS interception proxies and transitive trust. In Proceedings of the Black Hat Europe Conference."},{"volume-title":"Proceedings of the ACM\/SIGCOMM Internet Measurement Conference (IMC\u201916)","author":"O\u2019Neill M.","key":"e_1_2_1_49_1","unstructured":"M. O\u2019Neill , S. Ruoti , K. Seamons , and D. Zappala . 2016. TLS proxies: Friend or foe? In Proceedings of the ACM\/SIGCOMM Internet Measurement Conference (IMC\u201916) . M. O\u2019Neill, S. Ruoti, K. Seamons, and D. Zappala. 2016. TLS proxies: Friend or foe? In Proceedings of the ACM\/SIGCOMM Internet Measurement Conference (IMC\u201916)."},{"key":"e_1_2_1_50_1","doi-asserted-by":"crossref","unstructured":"E. Rescorla M. Ray S. Dispensa and N. Oskov. 2010. RFC 5746: Transport layer security (TLS) renegotiation indication extension Feb 2010. https:\/\/tools.ietf.org\/html\/rfc5746.  E. Rescorla M. Ray S. Dispensa and N. Oskov. 2010. RFC 5746: Transport layer security (TLS) renegotiation indication extension Feb 2010. https:\/\/tools.ietf.org\/html\/rfc5746.","DOI":"10.17487\/rfc5746"},{"volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201916)","author":"Ruoti S.","key":"e_1_2_1_51_1","unstructured":"S. Ruoti , M. O\u2019Neill , D. Zappala , and K. E. Seamons . 2016. User attitudes toward the inspection of encrypted traffic . In Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201916) . S. Ruoti, M. O\u2019Neill, D. Zappala, and K. E. Seamons. 2016. User attitudes toward the inspection of encrypted traffic. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201916)."},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","author":"Sivakorn S.","key":"e_1_2_1_52_1","unstructured":"S. Sivakorn , G. Argyros , K. Pei , A. D. Keromytis , and S. Jana . 2017. HVLearn: Automated black-box analysis of hostname verification in SSL\/TLS implementations . In Proceedings of the IEEE Symposium on Security and Privacy. S. Sivakorn, G. Argyros, K. Pei, A. D. Keromytis, and S. Jana. 2017. HVLearn: Automated black-box analysis of hostname verification in SSL\/TLS implementations. In Proceedings of the IEEE Symposium on Security and Privacy."},{"key":"e_1_2_1_53_1","volume-title":"Proceedings of the Chaos Communication Congress.","author":"Sotirov A.","year":"2008","unstructured":"A. Sotirov , M. Stevens , J. Appelbaum , A. K. Lenstra , D. Molnar , D. A. Osvik , and B. de Weger . 2008 . MD5 considered harmful today, creating a rogue CA certificate . In Proceedings of the Chaos Communication Congress. A. Sotirov, M. Stevens, J. Appelbaum, A. K. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger. 2008. MD5 considered harmful today, creating a rogue CA certificate. In Proceedings of the Chaos Communication Congress."},{"volume-title":"Proceedings of the Financial Cryptography Conference (FC\u201916)","author":"Valenta L.","key":"e_1_2_1_54_1","unstructured":"L. Valenta , S. Cohney , A. Liao , J. Fried , S. Bodduluri , and N. Heninger . 2016. Factoring as a service . In Proceedings of the Financial Cryptography Conference (FC\u201916) . L. Valenta, S. Cohney, A. Liao, J. Fried, S. Bodduluri, and N. Heninger. 2016. Factoring as a service. In Proceedings of the Financial Cryptography Conference (FC\u201916)."},{"key":"e_1_2_1_55_1","volume-title":"The day DES died","author":"Van De Zande P.","year":"2001","unstructured":"P. Van De Zande . 2001. The day DES died . SANS Institute ( 2001 ). https:\/\/www.sans.org\/reading-room\/whitepapers\/vpns\/paper\/722. P. Van De Zande. 2001. The day DES died. SANS Institute (2001). https:\/\/www.sans.org\/reading-room\/whitepapers\/vpns\/paper\/722."},{"volume-title":"Proceedings of the USENIX Security Symposium.","author":"Vanhoef M.","key":"e_1_2_1_56_1","unstructured":"M. Vanhoef and F. Piessens . 2015. All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS . In Proceedings of the USENIX Security Symposium. M. Vanhoef and F. Piessens. 2015. All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. In Proceedings of the USENIX Security Symposium."},{"volume-title":"Proceedings of the ACM Asia Conference on Computer and Communications Security (AsiaCCS\u201918)","author":"Waked L.","key":"e_1_2_1_57_1","unstructured":"L. Waked , M. Mannan , and A. Youssef . 2018. To intercept or not to intercept: Analyzing TLS interception in network appliances . In Proceedings of the ACM Asia Conference on Computer and Communications Security (AsiaCCS\u201918) . L. Waked, M. Mannan, and A. Youssef. 2018. To intercept or not to intercept: Analyzing TLS interception in network appliances. In Proceedings of the ACM Asia Conference on Computer and Communications Security (AsiaCCS\u201918)."},{"volume-title":"Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT\u201905)","author":"Wang X.","key":"e_1_2_1_58_1","unstructured":"X. Wang and H. Yu . 2005. How to break MD5 and other hash functions . In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT\u201905) . X. Wang and H. Yu. 2005. How to break MD5 and other hash functions. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT\u201905)."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372802","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372802","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:41:09Z","timestamp":1750200069000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372802"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,5,29]]},"references-count":58,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,6,30]]}},"alternative-id":["10.1145\/3372802"],"URL":"https:\/\/doi.org\/10.1145\/3372802","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2020,5,29]]},"assertion":[{"value":"2018-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-06-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-05-29","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}