Skip to main content
banner image
venafi logo

US-CERT Says HTTPS Interception Weakens TLS Security, But Leaves Off “When Done Poorly”

US-CERT Says HTTPS Interception Weakens TLS Security, But Leaves Off “When Done Poorly”

ssl inspection woes
April 4, 2017 | David Bisson

Secure Socket Layer (SSL) inspection is essential to addressing the risks posed by Hypertext Transfer Protocol Secure (HTTPS). For example, a phishing email can use HTTPS to contact its command and control server and download malware onto a user's machine. To defend against these types of attacks that hide in encryption, many organizations use SSL inspection products to scan data packets encrypted over a HTTPS session for malicious content.

Unfortunately, many products fail to properly perform SSL inspection.

According to a report published by researchers at Mozilla, CloudFlare, and Google, 11 out of 12 middleboxes that analyze TLS connections actually weakened security. One cause of these products' inadequate performance was improper certificate validation. Will Dormann of CERT explains how failure to verify certificates jeopardizes security:

"….The client can verify only that it is communicating with the SSL-inspecting software. The client is unaware of what technique the SSL-inspecting software is using for validating SSL certificates. And perhaps more importantly, whether there are additional points between the SSL-inspecting software and the target system is impossible for the client to determine. Is there an attacker between the SSL-inspecting software and the target server? The client has no way of knowing. Because of this lack of transparency, the client must assume that the SSL inspecting software is doing everything perfectly. Unfortunately, SSL-inspecting software does not do everything perfectly."

Dormann analyzed dozens of software products that perform SSL inspection. He found many of the applications committed seven mistakes that weakened connection security. These results in part motivated US-CERT to publish an alert entitled "HTTPS Interception Weakens TLS Security" that details the dangers of SSL inspection.

Not everyone is pleased by this advisory. Some feel it overlooks the benefits of SSL inspection. David Holmes, world-wide security evangelist at F5 Networks, is one of those individuals.

"The situation is a little more nuanced that they are suggesting," explains Holmes. "The way the headline is written makes it sound like SSL interception is a bad thing. In reality, what the researchers are saying is that WHEN DONE POORLY it's a bad thing."

Kevin Bocek, vice president of security strategy at Venafi, takes it one step further. He feels that recent discussions about the potential vulnerabilities connected with looking inside of encrypted SSL/TLS traffic ignore the critically important role of SSL inspection. He explains,

"SSL/TLS inspection is just not about employee use of the Internet. It’s also about threats from web applications that seek to hide, move, and expand across networks.”

Bocek goes on to recommend, “Organizations need SSL inspection to examine application, cross-network, cross-cloud, cross data center and IoT communications. Failing to inspect these communications makes the security technology that businesses rely on to protect them from cyber attacks far less effective. SSL inspection is the only way to protect against threats hiding in incoming and cross-network encrypted traffic.”

Examining encrypted traffic is critical to improving security. Organizations should research products that perform SSL inspection and deploy it properly to ensure secure TLS connections. To maximize performance and security, they should also invest in a solution that integrates with key and certificate management to automate SSL/TLS decryption. 

Does your SSL/TLS Inspection solution have easy access to necessary keys and certificates? 

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more