Why this work is in the frame
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Bibliographic record
Abstract
Many enterprise-grade network appliances host a TLS proxy to facilitate interception of TLS-protected traffic for various purposes, including malware scanning, phishing detection, and preventing data exfiltration. When deployed, the TLS proxy acts as the security validating client for external TLS web servers, on behalf of the original requesting client; on the other hand, the proxy acts as the web server to the client. Consequently, TLS proxies must maintain a reliable level of security, at least, at the same level as modern web browsers and properly configured TLS servers. Failure to do so increases the attack surface of all the proxied clients served the network appliance. We develop a framework for testing TLS inspecting appliances, combining and extending tests from existing work on client-end and network-based interception. Utilizing this framework, we analyze six representative network appliances, and uncover several security issues regarding TLS version and certificate parameters mapping, CA trusted stores, private keys, and certificate validation tests. For instance, we found that two appliances perform no certificate validation at all, exposing their end-clients to trivial Man-in-the-Middle attacks. The remaining appliances that perform certificate validation, still do not follow current best practices, and thus making them vulnerable against certain attacks. We also found that all the tested appliances deceive the requesting clients, by offering TLS parameters that are different from the proxy-to-server TLS parameters, such as the TLS versions, hashing algorithms, and RSA key sizes. We hope that this work bring focus on the risks and vulnerabilities of using TLS proxies that are being widely deployed in many enterprise and government environments, potentially affecting all their users and systems.
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
Full frame distilled prediction
Teacher imitationNot calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.000 | 0.000 |
| Meta-epidemiology (narrow) | 0.000 | 0.000 |
| Meta-epidemiology (broad) | 0.000 | 0.000 |
| Bibliometrics | 0.000 | 0.001 |
| Science and technology studies | 0.000 | 0.000 |
| Scholarly communication | 0.000 | 0.000 |
| Open science | 0.001 | 0.001 |
| Research integrity | 0.000 | 0.000 |
| Insufficient payload (model declined to judge) | 0.001 | 0.003 |
Machine scores (provisional)
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
score_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it