Enterprise firewalls are man-in-the-middling HTTPS sessions like crazy, and weakening security

A group of security researchers from academe and industry (including perennial Boing Boing favorite J Alex Halderman) have published an important paper documenting the prevalence and problems of firewalls that break secure web sessions in order to scan their contents for undesirable and malicious content.


As the researchers write, the security community is working at cross-purposes. On the one hand, there's a massive, concerted effort to encrypt the web, enabling HTTPS by default on every session. On the other hand, there's the perimeter defense/censorware/firewall industry, who want to spy on all the traffic entering networks to make sure that enterprise policies about content are being enforced (including policies about scanning attachments for malware and interdicting attempts to compromise browsers).

The researchers found that the prevalence of these man-in-the-middle attacks is at least an order of magnitude higher than previously believed, and the methods that firewall vendors use to compromise HTTPS often leaves users open to spying and code-injection. Firefox is slightly more secure than rival browsers.

In this paper, we conducted the first comprehensive study
on the security impact of HTTPS interception in the wild.
We characterized the TLS handshakes produced by modern
browsers, common security products, and malware, finding
that products advertise varied TLS parameters. Building on
this observation, we constructed a set of heuristics that allow
web servers to detect HTTPS interception and identify popular
interception products. We deployed these heuristics on three
diverse networks: (1) Mozilla Firefox update servers, (2) a set
of popular e-commerce sites, and (3) the Cloudflare content
distribution network. In each case, we find more than an order of
magnitude more interception than previously estimated, ranging
from 4–11%. As a class, interception products drastically
reduce connection security. Most concerningly, 62% of traffic
that traverses a network middlebox has reduced security and
58% of middlebox connections have severe vulnerabilities. We
investigated popular antivirus and corporate proxies, finding that
nearly all reduce connection security and that many introduce
vulnerabilities (e.g., fail to validate certificates). While the
security community has long known that security products
intercept connections, we have largely ignored the issue,
believing that only a small fraction of connections are affected.
However, we find that interception has become startlingly
widespread and with worrying consequences. We hope that by
bringing these issues to light, we can encourage manufacturers
to improve their security profiles and prompt the security
community to discuss alternatives to HTTPS interception.


The Security Impact of HTTPS Interception [Zakir Durumeric, Zane Ma†, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, and Vern Paxson]


(via Four Short Links)