{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:05:41Z","timestamp":1775837141906,"version":"3.50.1"},"reference-count":37,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,3,7]],"date-time":"2023-03-07T00:00:00Z","timestamp":1678147200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,3,31]]},"abstract":"<jats:p>Content Delivery Networks (CDNs) play a vital role in today\u2019s Internet ecosystem. To reduce the latency of loading a website\u2019s content, CDNs deploy edge servers in different geographic locations. CDN providers also offer important security features including protection against Denial of Service (DoS) attacks, Web Application Firewalls (WAFs), and recently, issuing and managing certificates for their customers. Many popular websites use CDNs to benefit from both the security and the performance advantages. For HTTPS websites, Transport Layer Security (TLS) security choices may differ in the connections between end-users and a CDN (front-end or user-to-CDN), and between the CDN and the origin server (back-end or CDN-to-Origin). Modern browsers can stop\/warn users if weak or insecure TLS\/HTTPS options are used in the front-end connections. However, such problems in the back-end connections are not visible to browsers or end-users, and lead to serious security issues (e.g., not validating the certificate can lead to MitM attacks). In this article, we primarily analyze TLS\/HTTPS security issues in the back-end communication; such issues include inadequate certificate validation and support for vulnerable TLS configurations. We develop a test framework and investigate the back-end connection of 14 leading CDNs (including Cloudflare, Microsoft Azure, Amazon, and Fastly), where we could create an account. Surprisingly, for all the 14 CDNs, we found that the back-end TLS connections are vulnerable to security issues prevented\/warned by modern browsers; examples include failing to validate the origin server\u2019s certificate, and using insecure cipher suites such as RC4, MD5, SHA-1, and even allowing plain HTTP connections to the origin. We also identified 168,795 websites in the Alexa top 1 million that are potentially vulnerable to Man-in-the-Middle (MitM) attacks in their back-end connections regardless of the origin\/CDN configurations chosen by the origin owner.<\/jats:p>","DOI":"10.1145\/3499428","type":"journal-article","created":{"date-parts":[[2022,7,19]],"date-time":"2022-07-19T12:11:05Z","timestamp":1658232665000},"page":"1-22","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["CDNs\u2019 Dark Side: Security Problems in CDN-to-Origin Connections"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7433-050X","authenticated-orcid":false,"given":"Behnam","family":"Shobiri","sequence":"first","affiliation":[{"name":"Concordia University, Montreal, QC, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9630-5858","authenticated-orcid":false,"given":"Mohammad","family":"Mannan","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, QC, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4284-8646","authenticated-orcid":false,"given":"Amr","family":"Youssef","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, QC, Canada"}]}],"member":"320","published-online":{"date-parts":[[2023,3,7]]},"reference":[{"key":"e_1_3_3_2_2","volume-title":"Wireshark  \\(\\cdot\\)  Go Deep.","author":"Foundation Wireshark","year":"2021","unstructured":"Wireshark Foundation. 2021. Wireshark \\(\\cdot\\) Go Deep. Retrieved April 2021 from https:\/\/www.wireshark.org\/."},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813707"},{"key":"e_1_3_3_4_2","volume-title":"Security, Cloud Delivery","author":"Technologies Akamai","year":"2021","unstructured":"Akamai Technologies. 2021. Security, Cloud Delivery. Retrieved April 2021 from https:\/\/www.akamai.com."},{"key":"e_1_3_3_5_2","volume-title":"Keyword Research, Competitor Analysis, & Website Ranking: Alexa","author":"Inc. Alexa Internet,","year":"2021","unstructured":"Alexa Internet, Inc.2021. Keyword Research, Competitor Analysis, & Website Ranking: Alexa. Retrieved October 7, 2020 from http:\/\/www.alexa.com\/."},{"key":"e_1_3_3_6_2","volume-title":"Amazon Cloudfront.","author":"Inc. Amazon Web Services,","year":"2021","unstructured":"Amazon Web Services, Inc.2021. Amazon Cloudfront. Retrieved April 2021 from https:\/\/aws.amazon.com\/cloudfront\/."},{"key":"e_1_3_3_7_2","volume-title":"Amazon Web Services (AWS) - Cloud Computing Services","author":"Inc. Amazon Web Services,","year":"2021","unstructured":"Amazon Web Services, Inc.2021. Amazon Web Services (AWS) - Cloud Computing Services. Retrieved April 2021 from https:\/\/aws.amazon.com\/."},{"key":"e_1_3_3_8_2","volume-title":"Using Amazon CloudFront Origin Shield","author":"Inc. Amazon Web Services,","year":"2021","unstructured":"Amazon Web Services, Inc.2021. Using Amazon CloudFront Origin Shield. Retrieved April 2021 from https:\/\/docs.aws.amazon.com\/AmazonCloudFront\/latest\/DeveloperGuide\/origin-shield.html."},{"key":"e_1_3_3_9_2","volume-title":"badssl.com","year":"2021","unstructured":"badssl.com. 2021. badssl.com. Retrieved April 2021 from https:\/\/badssl.com."},{"key":"e_1_3_3_10_2","doi-asserted-by":"crossref","unstructured":"A. Barbir B. Cain R. Nair and O. Spatscheck. 2003. RFC3568: Known Content Network (CN) Request-Routing Mechanisms.","DOI":"10.17487\/rfc3568"},{"key":"e_1_3_3_11_2","volume-title":"The Headers We Don\u2019t Want","author":"Betts Andrew","year":"2018","unstructured":"Andrew Betts. 2018. The Headers We Don\u2019t Want. Retrieved April 2021 from http:\/\/www.fastly.com\/blog\/headers-we-dont-want."},{"key":"e_1_3_3_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978423"},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978301"},{"key":"e_1_3_3_14_2","volume-title":"Origin Shield - CDN Planet","author":"Planet CDN","year":"2020","unstructured":"CDN Planet. 2020. Origin Shield - CDN Planet. Retrieved July 2020 from https:\/\/www.cdnplanet.com\/guides\/origin-shield."},{"key":"e_1_3_3_15_2","unstructured":"Cisco. 2017. Cisco Visual Networking Index: Forecast and Methodology. Retrieved on August 9 2022 https:\/\/s3.amazonaws.com\/media.mediapost.com\/uploads\/CiscoForecast.pdf."},{"key":"e_1_3_3_16_2","volume-title":"End-to-End HTTPS with Cloudflare\u2014Part 1: Conceptual Overview","author":"Inc. Cloudflare,","year":"2020","unstructured":"Cloudflare, Inc.2020. End-to-End HTTPS with Cloudflare\u2014Part 1: Conceptual Overview. Retrieved April, 2021 from https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/360024787372-End-to-end-HTTPS-with-Cloudflare-Part-1-conceptual-overview."},{"key":"e_1_3_3_17_2","volume-title":"Cloudflare Workers\u00ae","author":"Inc. Cloudflare,","year":"2021","unstructured":"Cloudflare, Inc.2021. Cloudflare Workers\u00ae. Retrieved April, 2021 from https:\/\/workers.cloudflare.com\/."},{"key":"e_1_3_3_18_2","volume-title":"Troubleshooting Cloudflare 5XX Errors.","author":"Inc. Cloudflare,","year":"2021","unstructured":"Cloudflare, Inc.2021. Troubleshooting Cloudflare 5XX Errors. Retrieved April 2021 from https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/115003011431-Troubleshooting-Cloudflare-5XX-errors#526error."},{"key":"e_1_3_3_19_2","volume-title":"What is Serverless Computing?","author":"Inc. Cloudflare,","year":"2021","unstructured":"Cloudflare, Inc.2021. What is Serverless Computing? Retrieved April 2021 from https:\/\/www.cloudflare.com\/en-ca\/learning\/serverless\/what-is-serverless\/."},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1983.1056650"},{"key":"e_1_3_3_21_2","volume-title":"Adding or Modifying Headers on HTTP Requests and Responses: Fastly Help Guides","author":"Inc Fastly,","year":"2018","unstructured":"Fastly, Inc. 2018. Adding or Modifying Headers on HTTP Requests and Responses: Fastly Help Guides. Retrieved April 2021 from docs.fastly.com\/en\/guides\/adding-or-modifying-headers-on-http-requests-and-responses."},{"key":"e_1_3_3_22_2","volume-title":"The Edge Cloud Platform Behind the Best of the Web","author":"Inc Fastly,","year":"2021","unstructured":"Fastly, Inc. 2021. The Edge Cloud Platform Behind the Best of the Web. Retrieved April 2021 from http:\/\/www.fastly.com."},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/SRDS.2018.00011"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24411"},{"key":"e_1_3_3_25_2","first-page":"1129","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Hao Shuai","year":"2018","unstructured":"Shuai Hao, Yubao Zhang, Haining Wang, and Angelos Stavrou. 2018. End-users get maneuvered: Empirical analysis of redirection hijacking in content delivery networks. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1129\u20131145. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/hao."},{"key":"e_1_3_3_26_2","volume-title":"Cyber Security Leader: Imperva, Inc.","author":"Inc. Imperva,","year":"2021","unstructured":"Imperva, Inc.2021. Cyber Security Leader: Imperva, Inc. Retrieved April 2021 from https:\/\/www.imperva.com."},{"key":"e_1_3_3_27_2","first-page":"1","volume-title":"2019 IEEE 27th International Conference on Network Protocols (ICNP\u201919)","author":"Jin Lin","year":"2019","unstructured":"Lin Jin, Shuai Hao, Haining Wang, and Chase Cotton. 2019. Unveil the hidden presence: Characterizing the backend interface of content delivery networks. In 2019 IEEE 27th International Conference on Network Protocols (ICNP\u201919). IEEE, 1\u201311."},{"key":"e_1_3_3_28_2","volume-title":"Let\u2019s Encrypt, Revoking Certificates","author":"Encrypt Let\u2019s","year":"2020","unstructured":"Let\u2019s Encrypt. 2020. Let\u2019s Encrypt, Revoking Certificates. Retrieved April 2021 from https:\/\/letsencrypt.org\/docs\/revoking\/."},{"key":"e_1_3_3_29_2","volume-title":"Free SSL\/TLS Certificates","author":"Encrypt Let\u2019s","year":"2021","unstructured":"Let\u2019s Encrypt. 2021. Free SSL\/TLS Certificates. Retrieved April 2021 from https:\/\/letsencrypt.org\/."},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.12"},{"key":"e_1_3_3_31_2","volume-title":"StackPath Settings: Origin SSL Validation","author":"M Tim","year":"2021","unstructured":"Tim M. 2021. StackPath Settings: Origin SSL Validation. Retrieved February 2021 from https:\/\/support.stackpath.com\/hc\/en-us\/articles\/360037197792-StackPath-Settings-Origin-SSL-Validation."},{"key":"e_1_3_3_32_2","volume-title":"moxie0\/Sslsniff.","year":"2019","unstructured":"moxie. 2019. moxie0\/Sslsniff. Retrieved December 2019 from github.com\/moxie0\/sslsniff."},{"key":"e_1_3_3_33_2","volume-title":"OpenSSL Foundation, Inc.","author":"Foundation OpenSSL Software","year":"2021","unstructured":"OpenSSL Software Foundation. 2021. OpenSSL Foundation, Inc. Retrieved April 2021 from https:\/\/www.openssl.org."},{"key":"e_1_3_3_34_2","volume-title":"Settings: SSL Validation","author":"Parasol Yaniv","year":"2020","unstructured":"Yaniv Parasol. 2020. Settings: SSL Validation. Retrieved February 2021 from https:\/\/support.stackpath.com\/hc\/en-us\/articles\/360037362652-Settings-SSL-Validation-."},{"key":"e_1_3_3_35_2","volume-title":"BGP Leaks and Cryptocurrencies","author":"Poinsignon L.","year":"2018","unstructured":"L. Poinsignon. 2018. BGP Leaks and Cryptocurrencies. Retrieved August 2020 from https:\/\/blog.cloudflare.com\/bgp-leaks-and-crypto-currencies."},{"key":"e_1_3_3_36_2","first-page":"1","article-title":"The transport layer security (TLS) protocol version 1.3","volume":"8446","author":"Rescorla E.","year":"2018","unstructured":"E. Rescorla. 2018. The transport layer security (TLS) protocol version 1.3. RFC 8446 (2018), 1\u2013160.","journal-title":"RFC"},{"key":"e_1_3_3_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372802"},{"key":"e_1_3_3_38_2","volume-title":"Weak Diffie-Hellman and the Logjam Attack","year":"2015","unstructured":"weakdh. 2015. Weak Diffie-Hellman and the Logjam Attack. Retrieved April 2021 from https:\/\/weakdh.org\/."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3499428","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3499428","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:38Z","timestamp":1750188638000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3499428"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,7]]},"references-count":37,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,3,31]]}},"alternative-id":["10.1145\/3499428"],"URL":"https:\/\/doi.org\/10.1145\/3499428","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,7]]},"assertion":[{"value":"2021-04-29","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-11-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}