Skip to main content
banner image
venafi logo

US-CERT Says HTTPS Interception Weakens TLS Security, But Leaves Off “When Done Poorly”

US-CERT Says HTTPS Interception Weakens TLS Security, But Leaves Off “When Done Poorly”

ssl inspection woes
April 4, 2017 | David Bisson

Secure Socket Layer (SSL) inspection is essential to addressing the risks posed by Hypertext Transfer Protocol Secure (HTTPS). For example, a phishing email can use HTTPS to contact its command and control server and download malware onto a user's machine. To defend against these types of attacks that hide in encryption, many organizations use SSL inspection products to scan data packets encrypted over a HTTPS session for malicious content.

Unfortunately, many products fail to properly perform SSL inspection.

According to a report published by researchers at Mozilla, CloudFlare, and Google, 11 out of 12 middleboxes that analyze TLS connections actually weakened security. One cause of these products' inadequate performance was improper certificate validation. Will Dormann of CERT explains how failure to verify certificates jeopardizes security:

"….The client can verify only that it is communicating with the SSL-inspecting software. The client is unaware of what technique the SSL-inspecting software is using for validating SSL certificates. And perhaps more importantly, whether there are additional points between the SSL-inspecting software and the target system is impossible for the client to determine. Is there an attacker between the SSL-inspecting software and the target server? The client has no way of knowing. Because of this lack of transparency, the client must assume that the SSL inspecting software is doing everything perfectly. Unfortunately, SSL-inspecting software does not do everything perfectly."

Dormann analyzed dozens of software products that perform SSL inspection. He found many of the applications committed seven mistakes that weakened connection security. These results in part motivated US-CERT to publish an alert entitled "HTTPS Interception Weakens TLS Security" that details the dangers of SSL inspection.

Not everyone is pleased by this advisory. Some feel it overlooks the benefits of SSL inspection. David Holmes, world-wide security evangelist at F5 Networks, is one of those individuals.

"The situation is a little more nuanced that they are suggesting," explains Holmes. "The way the headline is written makes it sound like SSL interception is a bad thing. In reality, what the researchers are saying is that WHEN DONE POORLY it's a bad thing."

Kevin Bocek, vice president of security strategy at Venafi, takes it one step further. He feels that recent discussions about the potential vulnerabilities connected with looking inside of encrypted SSL/TLS traffic ignore the critically important role of SSL inspection. He explains,

"SSL/TLS inspection is just not about employee use of the Internet. It’s also about threats from web applications that seek to hide, move, and expand across networks.”

Bocek goes on to recommend, “Organizations need SSL inspection to examine application, cross-network, cross-cloud, cross data center and IoT communications. Failing to inspect these communications makes the security technology that businesses rely on to protect them from cyber attacks far less effective. SSL inspection is the only way to protect against threats hiding in incoming and cross-network encrypted traffic.”

Examining encrypted traffic is critical to improving security. Organizations should research products that perform SSL inspection and deploy it properly to ensure secure TLS connections. To maximize performance and security, they should also invest in a solution that integrates with key and certificate management to automate SSL/TLS decryption.

Does your SSL/TLS Inspection solution have easy access to necessary keys and certificates? 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat