Research paper shows vulnerabilities with SSL interception

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Research paper shows vulnerabilities with SSL interception

L3 Networker

On Feb 2017, some universities, Mozilla, Cloudflare, and Google released this paper on corporate and desktop HTTPS interception.

 

First they figured out how to identify when someone connects to a web server through an SSL interception appliance. Then they found that most corporate "man-in-the-middle' appliances expose security vulnuerabilities. Basically, most appliances don't mirror the client's browser TLS handshake, and instead uses its own less secure cipher suite.

 

So for example, your browser requests to connect to google.com with TLS 1.2 with AES, the firewall decrypts it, then re-encrypts it with a weaker TLS handshake (like TLS 1.0 with RC4, or worse). This effectively makes your browser's connection far less secure.

 

The paper grades a few appliances. Bluecoat got an "A", but Cisco got an "F". Sophos and Juniper got a "C". Unfortunately Palo Alto isn't graded, and I don't know what method it uses.

  

Here's the link to the paper (PDF hosted by one of the paper's authors, Zakir Durumeric): The Security Impact of SSL Interception (https://zakird.com/papers/https_interception.pdf). The juicy stuff is on page 5.

 

Also here is a link to an article summary about it, in case the PDF doesn't work: https://www.helpnetsecurity.com/2017/02/10/https-interception/

 

 

 

 

 

5 REPLIES 5

L6 Presenter

Great highlight...I couldn't open your link though...

 

I did some Google sloothing and found this BlackHat article on this topic:

 

https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf 

Don't know why that link doesn't work, but it's directly from one of the author's site. I added another link that has some article about it too.

*It's possible my company was blocking an IP for the site...(I didn't really care to look through firewall logs to confirm) lol*

oops, I clicked accept instead of quick reply...

I wish I could attach files to the post but I don't think they have feature here.

Here is the CERT report outlining the issues when settting up corporate decryption and not mentioning any specific vendors.

 

https://www.us-cert.gov/ncas/alerts/TA17-075A

 

Would be a good exercise to have a best practices document for how PA could follow these recomendations.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3477 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!