HTTPS Interception Weakens Security
The US-CERT has just published an alert on how "HTTPS Interception Weakens TLS Security" (TA17-075A). Essentially this article is a warning for all organization using a product that inspects HTTPS traffic that their overall security posture might be affected.
The inspection of SSL has become popular in recent years at least since Gartner published an article in 2013 titled "Security Leaders Must Address Threats From Rising SSL Traffic". In this article the authors point out that an increasing number of malware is hiding their network activities inside SSL encrypted traffic that can't be inspected by traditional security devices to avoid detection.
The inspection of HTTPS network traffic is done by interception the traffic and essentially performing a man-in-the-middle (MiTM) attack on the connection. The irony of this is that SSL encryption and HTTPS traffic was initially developed to provide security and privacy between a client browser and a web server which is now broken open by inspection devices to look for malicious traffic.
The alert points out that a recent report "The Security Impact of HTTPS Interception" found that many of the products used to inspect the traffic might actually weaken the overall security of an organization. This is because some of these products do not properly validate encryption certificates and hence introducing a vulnerable link in the chain of the certificate authority that can be abused by other attackers.
The report gives some indication of how much HTTPS is intercept and probably the most telling data points are from Cloudflare and E-commerce sites which indicate that 10.9% and 6.2% of HTTPS traffic connections have been intercepted respectively. The further go on to test how well various products are dealing with the interception.
It's interesting to see that only Blue Coat's Proxy SG in the networking products category and Avast AV 11 and Bullguard Internet Security in the host-based products category have a Grade A "Optimal" while all other products rate less than Grade C "Known Attacks" which means the connection is vulnerable to known attacks!
In order to mitigate any exposure the US-CERT advises organisations to verify how well the products they are using validates certificate chains and passes on any warning and errors to the browser client. A partial list of products that maybe affected can be found in this blog post "The Risk of SSL Inspection".
Further the organisations may use the badss.com website to determine if the HTTPS interception product they are using properly validates certificate chains and prevents connection to sites that are using weak cryptography.