CERT: HTTPS Interception Products Weaken Companies' Security

The United States Computer Emergency Readiness Team (CERT) issued a report in which it warned companies and other organizations against using HTTPS or TLS interception products. CERT said that such products often make those companies' communications less secure, because the products don’t properly validate server connections and may use weaker cryptography.

TLS Interception

Intercepting encrypted TLS connections is quite a common occurrence within organizations as part of their security solutions. The idea is that it’s better to decrypt all encrypted communications internally to check for malware and spam. However, according to CERT, this kind of thinking may expose companies to other dangers.

The way HTTPS inspection works is by intercepting HTTPS traffic and performing a man-in-the-middle (MITM) attack on the network connection. In MITM attacks, sensitive data is transmitted to a (usually malicious) party spoofing the server the client intends to reach. However, browsers may show warnings when this happens because the client certificate and the spoofed server certificate don’t match.

To avoid these warnings, when organizations do MITM attacks against their own connections, they install “trusted” certificates on the client machines that match up with the interception product. However, the problem with this solution is that the client can no longer validate the certificate of the server.

Therefore, even if the connection between the interception product and the client machine is secure, both the interception product and the clients may be receiving data from a spoofed server.

According to CERT, many interception products do not properly validate the certificate chain of the server before re-encrypting the data and forwarding it to the clients. CERT found that many of the interception products don’t forward the certificate chain errors to the clients, so the clients would be unaware that the data was sent to a spoofed server.

CERT Recommendations

If for whatever reason companies refuse to drop HTTPS interception products from their enterprise security architecture, CERT recommends they use sites such as BadSSL.com to test the security of their connections. The tests should show whether or not their HTTPS inspection products are properly verifying the certificate chains of the servers and if they are using weak cryptography when re-encrypting the connections.

At a minimum, if the BadSSL.com certificate tests prevent clients with access to the internet from connecting, then the clients should also refuse the connections done through the HTTPS inspection products.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • firefoxx04
    A lot of companies willing to do this do not use certificate authorities in the first place. The browser already thinks there is a MITM attack 24/7. So why does it matter that we are performing a MITM attack on ourselves if we already do not use signed certificates?
  • BPusch
    We call it content filtering in the EDU universe and that won't be going away anytime soon. The secret to success is to pay, continuously, for a high quality product that does check the SSL connections it forms against known quality lists. Money won't solve everything, but it works here. This content filtering is important to keep us compliant with state laws. With the push to move everything to SSL, it has presented some challenges that perhaps policy and legislation haven't kept up with.