Networking tools may weaken Web security
SSL inspection tools, which let enterprise administrators examine encrypted traffic to find and block malicious activity, actually hinder HTTPS, says US-CERTPrint
20 March 2017 | 0
As more of the Internet adopts HTTPS everywhere to secure communications, enterprises rely on inspection tools to examine encrypted traffic to make sure it doesn’t contain malicious activity. Unfortunately, the devices intended to verify the security of networking communications appear to be undermining HTTPS, US-CERT warned.
“All systems behind a HTTPS interception product are potentially affected,” the Dept of Homeland Security’s United States Computer Emergency Response Team wrote in its advisory.
“CERT’s warning is based on the fact that in networks where interception products have been deployed, the client is no longer taking directly to the target server”
The advisory refers to interception products, including inline network appliances like firewalls, secure web gateways, and data-loss-prevention products; client-side software like antivirus; and cloud-based inspection services. Networking and security vendors such as Blue Coat, Barracuda, Cisco, Microsoft, Sophos, Arbor Networks, Check Point, Symantec, F5 Networks, Fortinet, IBM Security, Juniper, Trustwave, and Trend Micro include TLS/SSL inspection in their products.
While US-CERT did not outright tell organisations to stop using these inspection products, it did advise them to ensure that the products they have deployed are performing correct TLS certificate validation. Enterprises should not assume that everything works as expected simply because the products are from recognisable brands. That does not appear to be the case for several popular products.
These interception products sit between clients and servers and intercept all encrypted traffic going in and out of the network, decrypt the traffic, inspect the contents, re-encrypt the traffic, and forward the stream to the intended destination. It is basically an authorised man-in-the-middle attack, but it is necessary for enterprises because it lets administrators see what may be hiding within legitimate traffic. Online attackers are increasingly encrypting their activities, whether it is malware communicating with command-and-control servers, crimeware kits downloaded to the compromised endpoint, or files transferred out of the network, and defenders need a way to see and block them.
TLS and the older SSL rely on digital certificates issued by a trusted party to encrypt all communications between a client and server and to verify the server was the client’s intended destination. If something is wrong with the certificate, the browser is supposed to display warnings to the user. CERT’s warning is based on the fact that in networks where interception products have been deployed, the client is no longer taking directly to the target server.
The browser can see that the connection from the client to that interception product is legitimate, but it can’t tell if the rest of the connection is secure or has been compromised. There is no way for the browser on the client side of this equation to see how the product is validating certificates, what ciphers it uses to connect to the server, or whether an attacker has come between the product and the server.
“Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations,” the advisory said. “Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MITM [man in the middle] attacks by malicious third parties.”
Popular products fail
CERT cited an academic research paper written by researchers at Google, Mozilla, Cloudflare, the University of Michigan, the University of Illinois, the UC Berkeley, and the International Computer Science Institute as the basis of its alert. Titled “The Security Impact of HTTPS Interception,” the paper found that network monitoring and security products that can inspect HTTPS traffic often degrade secure communications between clients and servers.
Researchers tested a range of the most common inspection tools and found the majority of them “drastically reduce” the security of TLS connections. The figures are eye-popping: 97% of Firefox, 32% of e-commerce, and 54% of Cloudflare connections that were intercepted by these tools became less secure. Proxies increased connection security for older clients, but the improvements “were modest compared to the vulnerabilities introduced,” the researchers said.
An even more damning indictment of network appliances: “A large number of these severely broken connections were due to network-based middleboxes rather than client-site security software.”
Of the 12 appliances tested, only the Blue Coat ProxySG 6642 achieved an A rating. Five, A10 vThunder SSL Insight, Checkpoint Threat Prevention, Cisco IronPort Web Security, Microsoft Threat Management Gateway, and WebTitan Gateway, introduced “severe vulnerabilities that would enable future interception by a man-in-the-middle attacker” and were given F ratings. Appliances from A10 and Cisco advertised export ciphers, Checkpoint allowed expired certificates, and Microsoft and WebTitan had broken certificate validation.