There is an alert warning about problems with some HTTPS inspection products.
The alert comes from a Department of Homeland Security’s (DHS) US-CERT warning entitled, “HTTPS Interception Weakens TLS Security.”
“Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations,” US-CERT said. “Failure [by the SSL/TLS interception software] to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MitM (Man-in-the-Middle) attacks by malicious third parties.”
Organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers, according to US-CERT.
This alert follows the publication earlier this month of a detailed study of the problem. The study concluded HTTPS interception before the endpoint (such as that done by anti-virus products) can weaken rather than strengthen network security.
The problem comes in how the HTTPS inspection product attempts to provide its own “trust” to the client — and tests have shown that many of the products are lacking.
“Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MitM attack,” US-CERT said. Certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server.” It adds, “Because client systems may connect to the HTTPS inspection product using strong cryptography, the user will be unaware of any weakness on the other side of the HTTPS inspection.”
“Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client,” US-CERT said. “A partial list of products that may be affected is available at The Risks of SSL Inspection. Organizations may use badssl.com as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography. At a minimum, if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.”