A recent paper and subsequent US-CERT advisory warn that HTTPS interception middleboxes and network monitoring appliances can often introduce more problems than they solve.
In the paper The Security Impact of HTTPS Interception, the study tested a collection of popular TLS interception boxes and client-side monitoring software. The result: most of them actually introduced new security vulnerabilities into the network, according to a recent article in The Register. The problem arises from the way these devices get around network encryption (like SSL or TLS). These shortcuts open up the network to man-in-the-middle attacks.
The researchers found that security improvements were modest compared to the new vulnerabilities introduced. For example, 97% of Firefox connections intercepted (for monitoring purposes) became less secure. Most of these problems were found in appliances rather than client-side software: 62% of “middlebox” connections became less secure after installation and 58% introduced “severe” vulnerabilities.
Instrumenting security is crucial to the new empirically-based security paradigm. It's all about getting away from assumptions and guessing, and constantly maturing your organization's security based on hard data.
The assumption that security products work as advertised is often wrong. Best practices aren't enough: you must continuously validate that your security products are actually working (and not introducing new problems). That's exactly why we built the Verodin platform.
Of the 12 appliances the researchers tested – just one achieved an “A” grade. Five were rated “F”(!) and six got C’s. On the software side, from a sample size of 20 products, just two received an “A”: Avast’s AV 11 for Windows, and BullGuard's Internet Security 16. Eight got C’s and 10 got F’s.
What’s going on? The TLS and SSL protocols encrypt traffic between a client and server by creating a trusted identity chain using digital certificates. But in order to work, an interception device needs to issue its own trusted certificate to its client devices… otherwise, users would constantly see junk alerts that their connections were “not secure”.
But by doing so, now you can’t verify the web server’s certificate – so you can only be confident that your connection to the interception appliance is secure, but you have no idea whether the rest of the hops are secured or not.
Security is hard. Don’t assume your defensive stack is working just because you installed it. Verify, with Verodin.