Vulnerabilities / Threats
3/16/2017
05:15 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

US-CERT Warns That HTTPS Inspection Tools Weaken TLS

Turns out that man-in-the-middling your own traffic isn't the safest way to look for man-in-the-middle attacks.

HTTPS inspection tools are, in essence, a security team's authorized man-in-the-middle attacker: they intercept encrypted SSL/TLS traffic, in order to, for example, search it for malware that uses HTTPS to connect to malicious servers. However, in an alert today, US-CERT warned that HTTPS interception weakens TLS security, advising that organizations "carefully consider the pros and cons of such products before implementing."

Normally, a Web browser will alert a user to weak ciphers, deprecated protocol versions, or other reasons that certificates should not be trusted and connections might be dangerous. Once an HTTPS interception tool is introduced, however, the user must put all its trust in the tool.

From the US-CERT alert:

"Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties."

Unfortunately, researchers have found these products lacking when it comes to those validation practices. For example - as noted in works cited in the advisory, "The Risks of SSL Inspection" and "The Security Impact of HTTPS Interception" - some HTTPS inspection products do incomplete validation of upstream certificates, others conduct complete validation but fail to convey the results back to the client, and others will complete communication to the target server before issuing warnings to the user.   

HTTPS interception capabilities are built into a wide variety of security tools, including firewalls, secure web gateways, data loss prevention products, and other applications. A partial list of potentially affected applications is available here

US-CERT recommends that organizations use the testing resources at BadSSL.com to determine whether or not their HTTPS interception applications are properly validating certificates and preventing connections to sites using weak cryptography.

"At a minimum," states the alert, "if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product." 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 5   >   >>
Ludivina
50%
50%
Ludivina,
User Rank: Strategist
4/27/2017 | 2:48:14 PM
buy instagram followers web example
The HTTPS is pretty good when we talk about security, but it still needs improvements.
Shantaram
50%
50%
Shantaram,
User Rank: Strategist
4/24/2017 | 3:03:34 AM
Re: Great article! 192.168.0.1
Excellent post, i was happy to find it!
forskolinfuel
50%
50%
forskolinfuel,
User Rank: Apprentice
4/19/2017 | 11:21:21 PM
Re: phen375 review web example
A nice informative post thanks alot
marting123
50%
50%
marting123,
User Rank: Apprentice
4/17/2017 | 8:34:27 PM
Professional article.
You shared me the best information which I found for about 3 days, thanks much! Professional!
nidivivivi
50%
50%
nidivivivi,
User Rank: Apprentice
4/17/2017 | 8:28:23 PM
Thanks for your professional article!
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
Shantaram
50%
50%
Shantaram,
User Rank: Strategist
4/17/2017 | 3:04:50 AM
Re: 192.168.l.l
It really important, thanks for sharing with us!
marting123
50%
50%
marting123,
User Rank: Apprentice
4/16/2017 | 5:19:36 PM
Thanks for your professional article.
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
marting123
50%
50%
marting123,
User Rank: Apprentice
4/14/2017 | 4:16:06 PM
Thanks for your professional article.
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
Diet Pills
50%
50%
Diet Pills,
User Rank: Apprentice
4/14/2017 | 7:25:48 AM
Re: grat post.
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
Diet Pills
50%
50%
Diet Pills,
User Rank: Apprentice
4/14/2017 | 7:25:33 AM
Re: grat post.
The article - "US-CERT Warns That HTTPS Inspection Tools Weaken TLS", appreciate your great article, really very informative, perfect!
Page 1 / 5   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.