Protecting Insecure Communications with Topology-aware Network Tunnels

Unencrypted and unauthenticated protocols present security and privacy risks to end-to-end communications. At the same time we observe that only 30% of popular web servers offer HTTPS. Even when services support it, implementation vulnerabilities threaten their security. In this paper we propose an architecture called Topology-aware Network Tunnels (TNT) which minimizes insecure network paths to Internet services without their participation. TNT is not a substitute for TLS. We determine that popular web destinations are collocated in a small set of networks with 10 autonomous systems hosting 66% of traffic. At the same time cloud providers own these networks or are very close to them. Therefore clients can strategically establish secure tunnels to these providers and route their traffic through them. As a result adversaries not able to compromise the web service or its hosting provider are presented with encrypted and authenticated traffic instead of today's plain text. The strategic placement of network tunnels, gathering of network intelligence and routing decisions of the TNT architecture are not found in VPN services, network proxies or Tor. Existing overlay routing systems such as RON and one-hop source routing cannot substitute TNT. We implement our proposal as a routing software suite and evaluate it extensively using diverse cloud and ISP networks. We eliminate plain-text traffic to the Internet for 20% of web servers, reduce it to 1 network hop for an additional 20% and minimize it for the rest. We preserve the original network latency and page load time. TNT is practical and can be deployed by clients today.