Search

US-20260129079-A1 - SYSTEMS AND METHODS FACILITATING CONNECTION OF BROWSERS HAVING DIFFERENT TRANSPORT LAYER SECURITY VERSIONS USING A REVERSE PROXY SERVER

US20260129079A1US 20260129079 A1US20260129079 A1US 20260129079A1US-20260129079-A1

Abstract

Aspects of the subject disclosure may include, for example, deploying a reverse proxy server in front of a first type of web servers and a second type of web servers, where the first type of web servers is compliant with a current version of payment card industry data security standard (PCI DSS) and supports a first version of a transport layer security (TLS) protocol, and where the second type of web servers supports one or more TLS protocols that are older than the first version of TLS protocol, detecting, using the reverse proxy server, a TLS protocol version used in an incoming request, and determining, using the reverse proxy server, routing of the incoming request to one of the first type of web servers and the second type of web servers at least based on the detected TLS protocol version. Other embodiments are disclosed.

Inventors

  • Tarun Chaki

Assignees

  • AT&T INTELLECTUAL PROPERTY I, L.P.

Dates

Publication Date
20260507
Application Date
20241105

Claims (20)

  1. 1 . A device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: receiving a first web request from a first browser of a first client machine; receiving a second web request from a second browser of a second client machine, wherein the first browser uses a first version of a transport layer security (TLS) protocol and the second browser uses a second version of the TLS protocol; detecting the first version of the TLS protocol from the first web request; detecting the second version of the TLS protocol from the second web request; routing the first web request to a first web server that is compliant with a current version of payment card industry data security standard (PCI DSS); and routing the second web request to a second web server that is lacking a predetermined function of the first web server.
  2. 2 . The device of claim 1 , wherein the second web server is configured to communicate with web requests using one or more versions of the TLS protocol that are non-compliant with the current version of PCI DSS.
  3. 3 . The device of claim 1 , wherein the current version of PCI DSS includes PCI DSS version 4.0 and the first version of the TLS protocol includes TLS version 1.3; and wherein the routing the second web request further comprises routing, to the second web server, the second web request using TLS version 1.2 or older, wherein TLS version 1.2 is compliant with PCI DSS version 4.0 and the second web request uses a cryptographical cipher suite that is not supported in TLS version 1.3.
  4. 4 . The device of claim 1 , wherein the operations further comprise arranging a reverse proxy server between the first and the second client machines and the first and the second web servers.
  5. 5 . The device of claim 4 , wherein the operations further comprise configuring the reverse proxy server to: detect a version of the TLS protocol from an incoming web request; and determine to route the incoming web request to the first web server or the second web server at least based on the version of the TLS protocol.
  6. 6 . The device of claim 5 , wherein the operations further comprise configuring the reverse proxy server to: detect that the version of the TLS protocol is not a particular version of the TLS protocol; and convert the detected version of the TLS protocol to the particular version of the TLS protocol.
  7. 7 . The device of claim 1 , wherein the predetermined function of the first web server comprises a credit card payment function, and wherein the operations further comprise providing a response including an alternative payment method excluding the credit card payment function from the second web server to the second client machine.
  8. 8 . A non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system including a processor, facilitate performance of operations, the operations comprising: deploying a reverse proxy server in front of a first type of web servers and a second type of web servers, wherein the first type of web servers is compliant with a current version of payment card industry data security standard (PCI DSS) and supports a first version of a transport layer security (TLS) protocol, and wherein the second type of web servers supports one or more TLS protocols that are older than the first version of TLS protocol; receiving an incoming request from a browser of a client machine; detecting, using the reverse proxy server, a TLS protocol version used in the incoming request; determining, using the reverse proxy server, routing of the incoming request to one of the first type of web servers and the second type of web servers at least based on the detected TLS protocol version; and transmitting the determination to a router to route the incoming request.
  9. 9 . The non-transitory machine-readable medium of claim 8 , wherein the operations further comprise: configuring the first type of web servers to provide a full set of functionalities including processing a credit card payment.
  10. 10 . The non-transitory machine-readable medium of claim 9 , wherein the operations further comprise configuring the second type of web servers to provide an alternative form of payment excluding the processing the credit card payment.
  11. 11 . The non-transitory machine-readable medium of claim 8 , wherein the determining routing of the incoming request further comprises determining the routing of the incoming request based on cryptographic cipher suites parameters and the detected TLS protocol version.
  12. 12 . The non-transitory machine-readable medium of claim 8 , wherein the operations further comprise: receiving application program interface (API) calls and audit logs of the first type of web servers at a center location; and applying artificial intelligence/machine learning (AI/ML) techniques to the API calls and the audit logs for detecting threat and data breach.
  13. 13 . The non-transitory machine-readable medium of claim 12 , wherein the applying the AI/ML techniques further comprises applying K-Nearest neighbor algorithm.
  14. 14 . The non-transitory machine-readable medium of claim 12 , wherein the applying the AI/ML techniques further comprises applying the AI/ML techniques to perform anomaly detection, AI/ML assisted cipher threat hunting, coordination and reporting, automation of repetitive manual tasks, or a combination thereof.
  15. 15 . A method, comprising: deploying, by a processing system including a processor, a reverse proxy server in front of a first type of web servers and a second type of web servers, wherein the first type of web servers is compliant with a current version of payment card industry data security standard (PCI DSS) and supports a first version of a transport layer security (TLS) protocol, and wherein the second type of web servers supports one or more TLS protocols that are older than the first version of TLS protocol and different cryptographic cipher suites; receiving, by the processing system, an incoming request from a browser of a client machine; detecting, by the processing system, using the reverse proxy server, a TLS protocol version and cryptographic cipher suites used in the incoming request; configuring, by the processing system, the reverse proxy server to determine routing of the incoming request to one of the first type of web servers and the second type of web servers at least based on the detected TLS protocol version and cryptographic cipher suites; and transmitting, by the processing system, the determination of routing of the incoming request to a router to route the incoming request.
  16. 16 . The method of claim 15 , further comprising: collecting, by the processing system, activity information from the first type of web servers; analyzing, by the processing system, the activity information with artificial intelligence/machine learning (AI/ML) techniques; and detecting, by the processing system, security threats based on the analysis with the AI/ML techniques.
  17. 17 . The method of claim 15 , further comprising: receiving, by the processing system, a plurality of incoming requests from a plurality of browsers from a plurality of client machine; and configuring, by the processing system, the reverse proxy server, to bifurcate the plurality of incoming requests to the first type of web servers or the second type of web servers based on the TLS protocol version and cryptographic cipher suites used in each incoming request, wherein the configuring the reverse proxy server further includes configuring an access control list for the first type of web servers and the second type of web servers, respectively.
  18. 18 . The method of claim 15 , further comprising: receiving, by the processing system, a plurality of incoming requests from a plurality of browsers from a plurality of client machine; and configuring, by the processing system, the reverse proxy server, to reduce PCI DSS destined traffic to be sent to the first type of web servers among the plurality of incoming requests.
  19. 19 . The method of claim 18 , further comprising: applying, by the processing system, AI/ML techniques to the reduced PCI DSS destined traffic to detect data breaches, anomaly, cipher threat hunting, or a combination thereof.
  20. 20 . The method of claim 18 , comprising: redirecting, by the processing system, at least a part of the plurality of incoming requests to the second type of web servers, wherein the at least a part of the plurality of incoming requests utilize the one or more TLS protocols that are older than the first version of TLS protocol and support different cryptographic cipher suites, and wherein the one or more TLS protocols include a second version of TLS protocol that is compliant with the PCI DSS.

Description

FIELD OF THE DISCLOSURE The subject disclosure relates to systems and methods facilitating connection of browsers having different transport layer security versions using a reverse proxy server. BACKGROUND Businesses or enterprises that process, store, transmit, or impact the security of cardholder data must comply with Payment Card Industry Data Security Standard (PCI DSS) version 4.0 by Mar. 31, 2024 and will have to adopt requirements that have been identified as future dated in PCI DSS version 4.0 by Mar. 31, 2025. Non-compliance to PCI DSS version 4.0 will result in certain fines to be imposed on merchants. When a merchant web site is upgraded to higher strength cryptographic cipher suites compliant with PCI DSS version 4.0, customers with older versions of browsers may not be able to make a Transport Layer Security (TLS) connection to the merchant web site due to failure in a TLS handshake process. Customers may use various types of user equipment to connect with the merchant web site, such as handsets, a tablet, an autonomous vehicle, a connected car, an unmanned aerial vehicle, etc. Different user equipment may use various different browsers to be connected to the internet. FIG. 1 illustrates one example of failure in a browser TLS handshake in the prior art. As another example of failure in the browser TLS handshake, customers may have no response or have a blank screen as a response. Depending on browser types, browser versions, etc., customers may experience a wide range of responses including no response. These customers do not know how to resolve the connection problem and may be turned off, assume that the merchant web site no longer operates, and/or simply turn to competitors'websites. BRIEF DESCRIPTION OF THE DRAWINGS Reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein: FIG. 1 illustrates one example of failure in a browser Transport Layer Security handshake in the prior art. FIG. 2A is a block diagram illustrating an exemplary, non-limiting embodiment of a communications network in accordance with various aspects described herein. FIG. 2B illustrates one example of nomenclature of cipher suites. FIG. 2C illustrates an example, non-limiting embodiment of handshake processes of TLS version 1.2 and version 1.3. FIG. 2D is a block diagram illustrating an example, non-limiting embodiment of a system functioning within the communication network of FIG. 2A in accordance with various aspects described herein. FIG. 2E illustrates an example, non-limiting embodiment of Access Control List configuration in accordance with various aspects described herein. FIG. 2F illustrates an example, non-limiting embodiment of network traffic flow in accordance with various aspects described herein. FIG. 2G illustrates an example, non-limiting embodiment of different responses by web servers in accordance with various aspects described herein. FIG. 2H depicts an illustrative embodiment of a method in accordance with various aspects described herein. FIG. 2I depicts an illustrative embodiment of a method in accordance with various aspects described herein. FIG. 3 is a block diagram illustrating an example, non-limiting embodiment of a virtualized communication network in accordance with various aspects described herein. FIG. 4 is a block diagram of an example, non-limiting embodiment of a computing environment in accordance with various aspects described herein. FIG. 5 is a block diagram of an example, non-limiting embodiment of a mobile network platform in accordance with various aspects described herein. FIG. 6 is a block diagram of an example, non-limiting embodiment of a communication device in accordance with various aspects described herein. DETAILED DESCRIPTION The subject disclosure describes, among other things, illustrative embodiments for systems and methods facilitating connection of browsers having different transport layer security versions using a reverse proxy server to merchant websites. Merchant web servers are compliant with a current version of Payment Card Industry Data Security Standard (PCI DSS), such as PCI DSS version 4.0. The current version of PCI DSS requires higher cryptographic cipher suites in setting up Transport Layer Security (TLS) connections between customer browsers and merchant web servers. Customer browsers may have different TLS versions that may be or may not be compliant with the requirements according to the current version of PCI DSS (e.g., cryptographic cipher suites). The systems and methods facilitate connections of customer browsers to merchant web servers, regardless of TLS versions of customer browsers. More specifically, the systems and methods utilize a reverse proxy server configured to bifurcate incoming requests and perform redirection to different web server(s) based on TLS versions of customer browsers. Accordingly, the systems and methods can reduce the scope of PCI DSS data. Other embodiments are des