Inspecting TLS Anytime Anywhere: A New Approach to TLS Interception

Transport Layer Security (TLS) is one of the most widely-used security protocols for the modern internet. However, TLS does not differentiate regular users from threat actors who want to evade detection through the privacy provided by TLS. For this reason, organizations have been increasingly interested in middlebox technology whereby encrypted TLS traffic can be filtered and inspected.So far, the majority of middleboxes utilizes the "TLS interception proxy" technique in which a middlebox acts as a proxy to intercept the TLS traffic between the user and the server. However, this approach has the problem of forcing the user to accept the proxy's certificate. It also has a performance issue as the proxy needs to decrypt and re-encrypt the traffic.In this paper, we make a new approach to TLS inspection. Our solution, which we call "IA2-TLS (Inspecting TLS Anytime Anywhere)", is based on the idea of securely binding the middlebox's "inspection key" with the random nonces used in the TLS protocol. Since IA2-TLS does not employ the TLS interception proxy technique, it does not have the problem of the proxy certificate management and performance degradation. Inspection through IA2-TLS is not confined to a specific location and can be provided at any areas along the path of the network. Moreover, the inspection can be performed in real time or non-real time, depending on the user's preference or network circumstances.We provide formal security analysis that the master-secret of the IA2-TLS protocol remains secure if the inspection key is kept secret. We also present our implementation of IA2-TLS, which shows the feasibility of our approach.