BlindBox: Deep Packet Inspection over Encrypted Traffic: A Critique
Summary
As Hyper Text Transfer Protocol Secure (HTTPS) becomes the new normal for The World Wide Web (WWW), Deep Packet Inspection (DPI) of encrypted streams become crucial than ever. Sherry and her colleagues claim to introduce the first system that simultaneously provides the functionality of middleboxes and the privacy of encryption: BlindBox [4]. This system performs the deep-packet inspection directly on the encrypted traffic, which makes it practical for real-world applications that use long-lived HTTPS connections.
Strengths
The BlindBox System is the first-ever system that enables DPI over encrypted traffic without decrypting the underlying data. That, in itself, is a remarkable strength for the paper. This system is also claimed to be competitively performant as other Intrusion Detection Systems (IDS).
Weaknesses
The BlindBox System requires both parties to be aware of the protocol they envisioned as the implementation requires a tokenizer on the sender and a validator on the receiver. That requirement makes it unfit for specific middlebox applications where either the sender or the receiver is not aware of the protocol.
Analysis I
The paper discusses some practical concerns of the BlindBox System in the real world, like how an Internet Service Provider (ISP) would have an incentive not to deploy BlindBox. They further try to reason with this self-called-out problem by providing some hypotheses around how ISPs could come up with a revenue model that would incentivize adoption. Discussing such practical aspects of the proposed system on such a technical paper is quite unusual.
Though they fall short on providing a reasonable solution to another concern, they raised. As Sherry et al. admit, the BlindBox System requires an entirely new alternative to HTTPS. They simply dismiss the impracticality of this requirement by saying the benefit of allowing inspection of encrypted traffic would yield ”default” adoption regardless of how painful the transition would be.
Analysis II
The attention to detail for the technical aspects of this paper is quite remarkable. Not only Sherry et al. provide three different protocols for supporting a wide range of IDS filtering applications, but they also do it justice by meticulously documenting the implementation details as pseudo-code and adding lengthy explanations of what each step is for. They even go so far as providing a section solely dedicated to explaining which underlying libraries they used to implement the protocols they are describing. There they mention a couple of useful tools like JustGarble, Click, and ssldump.
Similarly, the functionality evaluation they provided at the paper answers some practical questions like “Can BlindBox implement the functionality required for each target system?”. Overall, Sherry et al. do everything they can to both justify why one should use BlindBox and how one can go by implementing the protocol.
References
ssldump: an SSL/TLS network protocol analyzer. http://ssldump.sourceforge.net/
M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Efficient garbling from a fixed-key blockcipher. In 2013 IEEE Symposium on Security and Privacy, pages 478–492, May 2013.
R. Morris, E. Kohler, J. Jannotti, and M. F. Kaashoek. The click modular router. SIGOPS Oper. Syst. Rev., 33(5):217–231, Dec. 1999.
J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. Blindbox: Deep packet inspection over encrypted traffic. SIGCOMM Comput. Commun. Rev., 45(4):213–226, Aug. 2015.
