Network communications want to be encrypted: https has already surpassed in popularity the (unencrypted) http; other protocols enable encryption by default. This is great for protecting the integrity and the privacy of the communication, but, unfortunately, renders a number of network middleboxes unable to provide the performance and functionality benefits that the current Internet depends on. There is a pressing need to integrate middleboxes into secure communication sessions, without compromising security and without requiring a complete overhaul of existing protocols and practices. We have designed and implemented Middlebox TLS (mbTLS), a small set of TLS extensions, that enables middleboxes to announce their presence and prove their capabilities to the TLS endpoints. mbTLS uses trusted computing technology (Intel SGX in our implementation) to provide security guarantees on untrusted hardware. mbTLS allows middleboxes to participate in the TLS session without compromising integrity or privacy, even if only one endpoint is mbTLS-aware, and with modest performance overhead.

Christos is a researcher in the Systems and Networking Group in Microsoft Research, Cambridge, UK. He holds a Ph.D. from Georgia Institute of Technology, Atlanta, GA, USA, and a bachelors from University of Patras, Greece, both in computer science. He is interested in network management and cloud computing. In the past, he has worked on data analytics, content distribution networks, analysis and modelling of complex communication networks, and wireless mesh networking. Christos is a member of ACM and Usenix.