To Intercept or Not to Intercept:
Analyzing TLS Interception in Network Appliances


    ABSTRACT - Many enterprise-grade network appliances host a TLS interception feature, which operates by activating a TLS proxy. When deployed, the TLS proxy acts as the security validating client for TLS web servers, on behalf of the original requesting client. Consequently, TLS proxies must maintain a reliable level of security, at least, at the same level as up-to-date browsers. Failure to do so increases the attack surface of all the proxied clients located behind the network appliance. In this paper, we develop a framework for testing TLS inspecting network appliances, combining and extending tests from existing work on client-end and network-based interception. Utilizing this framework, we analyze six network appliances, and uncover several security issues regarding TLS version and certificate parameters mapping, CA trusted stores, private keys, and certificate validation tests. For instance, we found that two of the tested network appliances perform no certificate validation, exposing their end-clients to trivial Man-in-the-Middle attacks. Moreover, the remaining network appliances that do perform certificate validation missed on best practices, leaving loopholes for skilled attackers. Furthermore, we found that all the tested network appliances deceive the requesting clients, by offering TLS parameters that are different from the proxy-to-server TLS connection's parameters, such as the TLS versions, hashing algorithms, and RSA key sizes. We hope that this work would shine the spotlight on the risks and vulnerabilities of using TLS proxies that are deployed in many enterprise and government environments, potentially affecting all their users and systems.

  • Louis Waked, Mohammad Mannan, and Amr Youssef. 2018. To Intercept or Not to Intercept: Analyzing TLS Interception in Network Appliances. In ASIA CCS ’18: 2018 ACM Asia Conference on Computer and Communications Security, June 4–8, 2018, Incheon, Republic of Korea.