The US-CERT[1] recently published an alert detailing how HTTPS interception can weaken security. This is a topic that was recently discussed in Security Now episode 599[2]where Steve Gibson[3] talks about an awesome research paper[4] (PDF) on the impact of HTTPS interception.
The research paper goes into detail about how they were able to analyze eight billion TLS connections to identify which of those had their connections intercepted. Their results show that about 10% of all US based connections had their TLS broken at some point. This could be from a corporate TLS proxy, a host based Anti-Virus solution, or possibly a malicious actor using a MITM attack.
A TLS proxy acts like a person at the post office opening all of your mail, inspecting it, re-sealing it, and shipping it to the original destination. The problem is when re-sealing it and shipping it off, they aren't always using the same level of security that you started with, leaving you vulnerable to all sorts of attacks.
This is an important topic to be aware of and I'm personally researching how we can raise visibility to problematic TLS proxies, and alert end users when their "assumed secure" connections aren't actually as secure as they should be. I'm hoping to find a browser extension that can detect this, or maybe I need to build a solution myself :).
Credits:
[1] US-CERT
[2] Security Now Podcast
[3] Steve Gibson of GRC
[4] "The Security Impact of HTTPS Interception" by Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, and Nick Sulli
No comments:
Post a Comment