Name
Abstract | ||
|---|---|---|
Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons for doing so are primarily related to improving enterprise security (e.g., phishing and malicious traffic detection) and meeting legal requirements (e.g., preventing unauthorized data leakage and copyright violations). To analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle (MITM) TLS proxy by acting as the intended web server to a requesting client (e.g., a browser) and acting as the client to the actual/outside web server. As such, the TLS proxy must implement both a TLS client and a server and handle a large amount of traffic, preferably in real-time. However, as protocol and implementation layer vulnerabilities in TLS/HTTPS are quite frequent, these proxies must be at least as secure as a modern, up-to-date web browser and a properly configured web server (e.g., an A+ rating in SSLlabs.com). As opposed to client-end TLS proxies (e.g., as in several anti-virus products), the proxies in network appliances may serve hundreds to thousands of clients, and any vulnerability in their TLS implementations can significantly downgrade enterprise security.
To analyze TLS security of network appliances, we develop a comprehensive framework, combining and extending tests from existing work on client-end and network-based interception studies. We analyze 13 representative network appliances over a period of more than a year (including versions before and after notifying affected vendors, a total of 17 versions) and uncover several security issues. For instance, we found that four appliances perform no certificate validation at all, three use pre-generated certificates, and eleven accept certificates signed using MD5, exposing their clients to MITM attacks. Our goal is to highlight the risks introduced by widely used TLS proxies in enterprise and government environments, potentially affecting many systems hosting security, privacy, and financially sensitive data.
|
Year | DOI | Venue |
|---|---|---|
2018 | 10.1145/3372802 | Digital Threats: Research and Practice |
Keywords | Field | DocType |
TLS interception,man-in-the-middle,middleboxes,network appliances,server impersonation | Man-in-the-middle attack,Computer security,Computer science,Implementation,MD5,Malware,Enterprise information security architecture,Web server,Certificate,Vulnerability | Journal |
Volume | Issue | ISSN |
1 | 2 | 2692-1626 |
Citations | PageRank | References |
0 | 0.34 | 6 |
Authors | ||
3 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Louis Waked | 1 | 0 | 0.34 |
| Mohammad Mannan | 2 | 4 | 1.12 |
| Amr M. Youssef | 3 | 41 | 10.68 |