Killed by Proxy
Analyzing Client-end TLS Interception Software

By Xavier de Carné de Carnavalet and Mohammad Mannan

To filter SSL-protected traffic, some antivirus and parental-control applications interpose a SSL proxy in the middle of the host's communications. Covering existing and new attack vectors on SSL engines, we design a comprehensive framework to analyze such client-end TLS proxies. Using the framework, we perform a thorough analysis of eight antivirus and four parental-control applications that act as TLS proxies, along with two additional products that only import a root certificate; these products are possibly used by millions of users. Our systematic analysis uncovered that some of these security enhancing tools severely affect SSL security on their host machines. In particular, we found that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack out-of-the-box, and two more if SSL filtering is enabled. Several tools also mislead browsers into believing that an SSL connection is more secure than it actually is, by e.g., artificially upgrading a server's SSL version at the client.

As the most used interface to web, browser manufacturers in the recent years have taken a more pro-active role in improving online security than simply faithfully implementing the TLS specifications, e.g., deploying optional/experimental extensions to TLS, such as HSTS and key pinning; blocking malware and phishing sites; and restricting misbehaving CAs, such as CNNIC and TURKTRUST. We thus expect browser manufacturers to force companies behind the most offending CCAs to fix obvious vulnerabilities, by blocking connections when a known, broken proxy is involved. There are possible research opportunities in this direction.

During July/August of 2015, we have contacted all companies involving the products we analyzed. Most accepted our findings, and are fixing their products. However, some problems as we found are more fundamental to client-end SSL proxying, and cannot be fixed without significant changes in the proxy design. We made our results available in mid December (2015), including some guidelines for safer implementation.