Security News US-CERT: Security Products That Perform HTTPS Interception Weaken Security

[Solarquest]

In an advisory sent to enterprises across the US, the Department of Homeland Security’s US-CERT group is warning that security products which perform HTTPS interception might weaken a company's overall security.

HTTPS inspection is a method where security products set up a man-in-the-middle proxy for HTTPS traffic. The proxy stands between the client and the remote server and intercepts HTTPS traffic, inspecting it for malware, and rebuilding the connection.

The issue comes from the fact that many security products, such as firewalls or antivirus products, fail to reconstruct the SSL connections to the same standards clients and servers negotiated.

"Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack," US-CERT wrote in its advisory. "Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server."

Research paper triggered CERT warning
The CERT advisory came after a group of security experts published a research paper at the start of the month titled "The Security Impact of HTTPS Interception."
More details in the link above

 

[larry goes to church]

It does sound like a massive challenge to be able to re-encrypt the traffic in the same manor that it is encrypted but it does seem doable.

Realistically they are listening to the same conversation as the client so as they see te negotiation take place they should actively be ready to match what every encryption methods are about to be used in real time.

This seems like a bug that can be overcome.
And if not it'll take away a HUGE portion of the visibility enterprises currently have.

I am actually really interested in seeing these type of packet re-construction software in action..
Unfortunately I have not yet

 

[conceptualclarity]

https://jhalderm.com/pub/papers/interception-ndss17.pdf

The Security Impact of HTTPS Interception

I checked on my ESET GUI and SSL/TLS protocol filtering is not enabled by default. Maybe I should keep it that way? And the rest of us?

 

[conceptualclarity]

The Risks of SSL Inspection

Potentially Affected Software

By performing a web search for "ssl inspection," we were able to construct a list of applications that may be affected by a number of the above-outlined vulnerabilities. However, due to time and resource constraints, we have not been able to acquire or test a number of these applications, so we are soliciting feedback from the community to ascertain their status. Just because a product is listed, does not necessarily mean that it contains any of the seven vulnerabilities above. The list of applications possibly affected includes the following:

Again, just because a product is listed, does not mean that it is necessarily vulnerable.

 

[Solarquest]

From the article above
"Companies that want to test if their HTTPS inspection tools weaken HTTPS security can do so by using the BadSSL service."