SSL inspection could jeopardise security
SSL inspection could jeopardise security

Security measures put in place by organisations may weaken security, according to US-CERT.

The US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security in the US.

It warned that many enterprise security appliances that carry out HTTPS inspection to examine encrypted traffic may actually hinder security efforts by introducing a vulnerability in the system.

In an advisory, US-CERT said that “all systems behind a HTTPS interception product are potentially affected”.

The advisory added that organisations that needed to inspect HTTPS traffic should ensure that products are “performing correct transport layer security (TLS) certificate validation”.

“Because the HTTPS inspection product manages the protocols, ciphers and certificate chain, the product must perform the necessary HTTPS validations,” said the advisory.

“Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.”

The advisory cited a report, called the Security Impact of HTTPS Interception, that highlighted several security concerns with HTTPS inspection products and outlined survey results of these issues.

According to a blog post by Will Dormann of Carnegie Mellon University's CERT/CC, who looked at 58 products, a range of flaws were found with applications that failed to properly validate certificates and carried out HTTPS and SSL inspections which put users at a greater risk than compared with browsers.

He said that SSL inspection is “much more widespread than I suspected” and highlighted its use in secure web gateways, firewalls, data loss prevention (DLP) products and other products.

“SSL and TLS do not provide the level of end-to-end security that users may expect. Even in absence of SSL inspection, there are problems with how well browsers are conveying SSL information to users,” said Dormann.

He added that the fact that "SSL inspection" is a phrase that exists, should be a “blazing red flag that what you think SSL is doing for you is fundamentally broken”.  

Dormann said that system administrators may wish to reassess whether they want to deploy SSL inspection capabilities in their environment.

“At the very least, system administrators could contact the vendors of SSL inspection software to have them confirm the proper configuration options and behaviours,” he added.

US-CERT did not go as far as advising organisations to stop using such products that perform HTTPS inspection, but should verify that their product properly validates certificate chains and passes any warnings or errors to the client.

“At a minimum, if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product,” said the advisory.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told SC Media UK that vendors need to enable more options for intelligent inspection of outgoing traffic.

“Using new technologies like certificate reputation, the identity of the machine being connected to over TLS can be better understood,” he said.

“This includes not just the entire certificate chain, as recommended by researchers, it also means a more selective inspection. When traffic is going out of an organisation, the use of reputation and analytics data to identify potentially anomalous activity can be used to select traffic for inspection, from readily available sources such as certificate and IP reputation data.”

Andrew Rogoyski, VP of Cyber Security Services at CGI UK, told SC that organisations should think quite carefully about using HTTPS inspection products – “they need to be properly set up and if you don't have the necessary skills they can create more vulnerabilities than you were originally trying to discover.”

“Ideally, unless implementing real-time blocking this should not be performed inline as the additional overhead of decrypting and recreating introduces latency which could impact real-time communications,” he added.