Enterprise firewalls are man-in-the-middling HTTPS sessions like crazy, and weakening security

A group of security researchers from academe and industry (including perennial Boing Boing favorite J Alex Halderman) have published an important paper documenting the prevalence and problems of firewalls that break secure web sessions in order to scan their contents for undesirable and malicious content.

As the researchers write, the security community is working at cross-purposes. On the one hand, there's a massive, concerted effort to encrypt the web, enabling HTTPS by default on every session. On the other hand, there's the perimeter defense/censorware/firewall industry, who want to spy on all the traffic entering networks to make sure that enterprise policies about content are being enforced (including policies about scanning attachments for malware and interdicting attempts to compromise browsers).

The researchers found that the prevalence of these man-in-the-middle attacks is at least an order of magnitude higher than previously believed, and the methods that firewall vendors use to compromise HTTPS often leaves users open to spying and code-injection. Firefox is slightly more secure than rival browsers.

In this paper, we conducted the first comprehensive study on the security impact of HTTPS interception in the wild. We characterized the TLS handshakes produced by modern browsers, common security products, and malware, finding that products advertise varied TLS parameters. Building on this observation, we constructed a set of heuristics that allow web servers to detect HTTPS interception and identify popular interception products. We deployed these heuristics on three diverse networks: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. In each case, we find more than an order of magnitude more interception than previously estimated, ranging from 4–11%. As a class, interception products drastically reduce connection security. Most concerningly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities. We investigated popular antivirus and corporate proxies, finding that nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates). While the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences. We hope that by bringing these issues to light, we can encourage manufacturers to improve their security profiles and prompt the security community to discuss alternatives to HTTPS interception.

The Security Impact of HTTPS Interception [Zakir Durumeric, Zane Ma†, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, and Vern Paxson]

(via Four Short Links)