The Department of Homeland Security’s US-CERT group has issued an advisory warning enterprises that many security appliances that perform HTTPS inspection through a man-in-the-middle position don’t correctly verify certificate chains before forwarding traffic, weakening the security benefits of TLS in the process.
The advisory comes after a recent paper by security researchers from Google, Mozilla, Cloudflare, University of Michigan, and elsewhere looked at traffic interception appliances and their effect on secure connections. The researchers built a set of heuristics to enable servers to detect HTTPS interception, and found that interception boxes “drastically reduce connection security.”
US-CERT on Thursday followed up on this work, warning corporate security teams about the effects of these traffic interception appliances. The main problem is that in order to inspect the encrypted traffic leaving clients, such as browsers, the appliances need to have trusted certificates installed, and the clients then must trust those appliances. Because the traffic is decrypted, inspected, and then re-encrypted on the appliance, the client doesn’t have any control over or knowledge of the way the re-encryption process works or what kind of ciphers and protocols the destination web servers use.
“The problem with this architecture is that the client systems have no way of independently validating the HTTPS connection. The client can only verify the connection between itself and the HTTPS interception product. Clients must rely on the HTTPS validation performed by the HTTPS interception product,” the US-CERT advisory says.
“Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server.”
Appliance that perform SSL interception and inspection have become a large category in recent years as enterprises looked for ways to monitor employees’ web usage and stop attackers from exfiltrating data through encrypted connections. Vendors such as Blue Coat, Barracuda, Cisco, and others sell boxes that perform HTTPS inspection for enterprise networks, and many anti-malware products also do SSL interception, as well. Security researchers have cautioned users about the risks of SSL interception for some time, and US-CERT said in its advisory that organizations should take care to ensure that any such product they deploy does certificate validation correctly.
“Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client,” the advisory says.