Vulnerabilities / Threats
3/16/2017
05:15 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

US-CERT Warns That HTTPS Inspection Tools Weaken TLS

Turns out that man-in-the-middling your own traffic isn't the safest way to look for man-in-the-middle attacks.

HTTPS inspection tools are, in essence, a security team's authorized man-in-the-middle attacker: they intercept encrypted SSL/TLS traffic, in order to, for example, search it for malware that uses HTTPS to connect to malicious servers. However, in an alert today, US-CERT warned that HTTPS interception weakens TLS security, advising that organizations "carefully consider the pros and cons of such products before implementing."

Normally, a Web browser will alert a user to weak ciphers, deprecated protocol versions, or other reasons that certificates should not be trusted and connections might be dangerous. Once an HTTPS interception tool is introduced, however, the user must put all its trust in the tool.

From the US-CERT alert:

"Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties."

Unfortunately, researchers have found these products lacking when it comes to those validation practices. For example - as noted in works cited in the advisory, "The Risks of SSL Inspection" and "The Security Impact of HTTPS Interception" - some HTTPS inspection products do incomplete validation of upstream certificates, others conduct complete validation but fail to convey the results back to the client, and others will complete communication to the target server before issuing warnings to the user.   

HTTPS interception capabilities are built into a wide variety of security tools, including firewalls, secure web gateways, data loss prevention products, and other applications. A partial list of potentially affected applications is available here

US-CERT recommends that organizations use the testing resources at BadSSL.com to determine whether or not their HTTPS interception applications are properly validating certificates and preventing connections to sites using weak cryptography.

"At a minimum," states the alert, "if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product." 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 5   >   >>
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/13/2017 | 11:25:37 AM
Where to find the list?
Where can I find the list to help hone down the possibilities for vulnerable devices?
TimTonne
50%
50%
TimTonne,
User Rank: Apprentice
9/11/2017 | 12:51:01 PM
re: Strom Vergleich
This website answer every question i had about correction. So , thank you.
LisaB845
50%
50%
LisaB845,
User Rank: Apprentice
8/29/2017 | 8:12:43 AM
re: professional logo design
this is very useful, thanks
Ludivina
50%
50%
Ludivina,
User Rank: Strategist
4/27/2017 | 2:48:14 PM
buy instagram followers web example
The HTTPS is pretty good when we talk about security, but it still needs improvements.
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/24/2017 | 3:03:34 AM
Re: Great article! 192.168.0.1
Excellent post, i was happy to find it!
forskolinfuel
50%
50%
forskolinfuel,
User Rank: Apprentice
4/19/2017 | 11:21:21 PM
Re: phen375 review web example
A nice informative post thanks alot
marting123
50%
50%
marting123,
User Rank: Apprentice
4/17/2017 | 8:34:27 PM
Professional article.
You shared me the best information which I found for about 3 days, thanks much! Professional!
nidivivivi
50%
50%
nidivivivi,
User Rank: Apprentice
4/17/2017 | 8:28:23 PM
Thanks for your professional article!
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/17/2017 | 3:04:50 AM
Re: 192.168.l.l
It really important, thanks for sharing with us!
marting123
50%
50%
marting123,
User Rank: Apprentice
4/16/2017 | 5:19:36 PM
Thanks for your professional article.
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
Page 1 / 5   >   >>
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.