Cloudfare announced the release of two new tools designed to make it simpler to check if TLS connections to a website have been intercepted, to detect vulnerable clients and potentially notify them when their security is compromised or degraded.
The reasons behind HTTPS interception can be both benign and malicious, and it happens when Internet connections go through a proxy or a middlebox instead of connecting the client directly to the server, leading to situations dubbed "monster-in-the-middle" by Cloudfare.
A research paper on the
security impact of HTTPS interception from 2017 found that HTTPS connection interception is startlingly widespread, with "62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities."
The new tools help detect and analyze intercepted TLS connections
In addition, after looking into the behavior of popular antivirus and corporate proxies, the researchers found that "nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates)."
Cloudfare
announced the introduction of two new tools, an open source library for HTTPS interception detection named
MITMEngine and a dashboard which displays statistics metrics about TLS connections being intercepted as observed by Cloudflare on its network called
MALCOLM.
According to the company, HTTPS interception can occur when devices come with an installed root certificate which might allow a third party to decrypt and inspect Internet traffic or when "an origin server provides its TLS private key to a third party (like a reverse proxy) that does TLS termination."
