Common pitfalls of breaking up HTTPS connections

[Gandalf_The_Grey]

Let me say it up front: breaking up end-to-end-encrypted HTTPS connections is bad. No matter why you think that you need to inspect and/or modify the contents of an HTTPS connection, please consider not doing it. And if you still think that you absolutely need it, please sit down and consider again just not doing it.

Unfortunately, I know that way too often this advice won’t be followed. And I don’t mean tools like the Burp Suite which only break up end-to-end-encryption of HTTPS connections temporarily to aid developers or security researchers. No, it’s rather the antivirus applications which do it because they want to scan all your traffic for potential threats. Or companies which do it because they want to see everything happening on their network.

Usually this results in privacy and/or security issues of varying severity. A while ago I already discussed the shortcomings of Kaspersky’s approach. I later found a catastrophic issue with Bitdefender’s approach. And altogether I’ve seen a fair share of typical issues in this area which are really hard to avoid. Let me explain.

Conclusion​

For browser vendors providing the most secure HTTPS experience possible is a priority. So they invest significant resources into it, and that’s in fact necessary. Supporting HTTPS properly is far from being a simple task, and continuous changes are required.

Vendors implementing HTTPS proxies often have neither the know-how nor the incentives to ensure the same quality in their implementations. While their solutions appear to work, they tend to degrade the security and privacy level and to undermine the work done by browser vendors.

Common pitfalls of breaking up HTTPS connections

HTTPS proxies (antivirus, company network proxies) breaking up end-to-end-encrypted connections typically introduce a number of privacy and/or security issues. This article explains some common ones.

palant.info