Poor HTTPS interception compromises security

A new study has shown that HTTPS interception, the practice of decrypting and scanning HTTPS connections to monitor traffic for security vulnerabilities, is a much more common feature in security software processes than first thought.
by Egress
Published on 28th Feb 2017
Blog Header Image Secure 1440X370

A new study has shown that HTTPS interception, the practice of decrypting and scanning HTTPS connections to monitor traffic for security vulnerabilities, is a much more common feature in security software processes than first thought.

The group of researchers behind the paper ‘The Security Impact of HTTPS Interception’ also showed that the devices and software that perform HTTPS interception also significantly reduce the protection offered by HTTPS. By terminating the existing Transport Layer Security (TLS) connection and replacing it with a weakened implementation, the overall safety of users’ data is put at risk – with potentially serious consequences.

What is HTTPS interception?

HTTPS is a method of securing the connection between a client and a web server. It employs SSL/TLS to encrypt and authenticate the connection to secure the data being sent between the two devices, protecting against attacks and snooping. For these reasons, it has seen widespread promotion and uptake.

However, the report’s authors state that the security community are ‘working at cross-purposes’ by promoting uptake of HTTPS whilst accepting that the interception of this connection is a fundamental feature of many security solutions.

Software and devices such as firewalls, web filters, content filters, malware inspectors and antivirus solutions perform HTTPS interception to filter content and look for malicious threats in the data being sent.

HTTPS interception usually works in the following way:

  1. The browser’s secure TLS connection between itself and the web server is terminated, revealing the plaintext data being transmitted
  2. This HTTP plaintext is inspected/ scanned
  3. The HTTP data is sent via a new TLS connection to the intended web server

So, the existing TLS connection is disabled in order to conduct traffic analysis and anti-virus scanning before a new TLS connection to the destination is initiated. However, the researchers show that many of the products that do HTTPS interception have poor TLS capabilities and hence compromise the security of the user’s data, by replacing the original TLS connection with a weaker version.

How were these vulnerabilities discovered?

The researchers, from US universities and companies such as Google, Mozilla, and Cloudflare, tested middleboxes from a variety of major providers. Middleboxes function like network proxies to conduct traffic analysis and content filtering. All but one device weakened connection security and introduced TLS vulnerabilities. Additionally, testing of 29 anti-virus solutions found 13 that would intercept TLS connections.

The researchers’ method was as follows:

  1. Show that web servers can detect HTTPS interception by ‘identifying a mismatch between the HTTP User-Agent header and the behaviour of the TLS client’
  2. Construct heuristics around the way properties of these TLS implementations differed for web browsers and products that employ HTTPS interception, in order to detect the interception and identify the specific product involved
  3. Apply these heuristics to almost 8,000,000, 000TLS connection handshakes, focusing on three major internet services:
  • Mozilla Firefox update servers
  • A set of popular e-commerce website
  • The Cloudflare content distribution network

While the levels of interception they found in these providers differed (4.0% of Firefox update connections, 6.2% of e-commerce connections, and 10.9% of U.S. Cloudflare connections), all were much higher than any previous estimates

  1. Finally, quantify the ‘real-world security impact’ of these interceptions by applying a grading scale to calculate the change in security of those connections that were intercepted

And the results were alarming, to say the least.

Out of the connections that were intercepted, 97% of Firefox, 32% of e-commerce and 54% of Cloudflare connections became less secure.

The intercepted connections used weaker cryptographic algorithms and, worse still, some even ‘advertised support for known-broken ciphers that would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection’.

Securing your data

The vulnerabilities highlighted in the study join existing risks to using TLS for securing communications channels. The startling feature here though is that the vulnerabilities are being caused by security vendors themselves.

The researchers offer a series of recommendations, such as a call for vendors to prioritise and improve security of their TLS implementations, and for antivirus providers to reconsider using HTTPS interception. Until then, the message for the user is clear: proceed with caution and actively explore other methods for securing your data.

For more information on additional problems caused by solely relying on TLS as a method for securing data, read our white paper.