Connect with us

Hi, what are you looking for?


Network Security

U.S. Warns of Security Issues With HTTPS Inspection Products

The U.S. Department of Homeland Security’s US-CERT has issued a new alert warning about problems with some HTTPS inspection products.

The U.S. Department of Homeland Security’s US-CERT has issued a new alert warning about problems with some HTTPS inspection products.

The alert, ‘HTTPS Interception Weakens TLS Security (TA17-075A)’ warns that “Failure [by the SSL/TLS interception software] to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MitM attacks by malicious third parties.”

This alert follows the publication earlier this month of a detailed study of the problem. The study concluded that HTTPS interception before the endpoint (such as that done by anti-virus products) can weaken rather than strengthen network security. The CERT Coordination Center (CERT/CC) first raised the issue two years ago in a blog post titled ‘The Risks of SSL Inspection’ — but US-CERT has only now issued an alert.

The reason for this long delay between unofficial and official warnings is probably twofold. Firstly, the “blog post for CERT was mostly an observation based on a very small sample set of HTTPS inspection solutions that I was able to test myself,” author Will Dormann, a vulnerability analyst at CERT/CC, told SecurityWeek. “It was posed as an issue that needed to be investigated, with the goal that folks with the devices in question could perform their own testing and ideally get back to us with the results.”

It was, in short, a valid but not-scientific analysis of the problem. The new scientific paper, he adds, “appears to have used my blog post as motivation. But they were able to take it much further and provide some real-world statistics about the prevalence of HTTPS interception. This presumably took some time to develop and collect results.”

Dormann believes that the arrival of this paper and the availability of an easy-to-use test website ( have combined to make the time right for a US-CERT alert.

The second motivation for the alert is the increasing use of encryption by malicious actors to bypass security defenses and to hide data exfiltration. Dell highlighted the problem in its 2016 Threat Report. At least 900 million users were affected by encrypted hacks in 2015, it said.

Advertisement. Scroll to continue reading.

Industry’s response has been to install HTTPS inspection software to unpack the encryption and allow traffic inspection. This interception can be found in a range of products including anti-virus, firewalls, DLP, and secure web gateways. They operate by performing the customer’s own ‘legal’ MitM attack on the traffic — but in doing so they break the end-to-end encryption from the trusted server to the end client.

The problem comes in how the HTTPS inspection product then attempts to provide its own ‘trust’ to the client — and tests have shown that many of the products are lacking. “Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data,” warns US-CERT, “allowing the possibility of a MitM attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server.” It adds, “Because client systems may connect to the HTTPS inspection product using strong cryptography, the user will be unaware of any weakness on the other side of the HTTPS inspection.”

This leaves industry with a difficult choice: to inspect HTTPS traffic for reasons of security and risk increasing the attack surface in the process; or to leave alone and find other ways to protect against encrypted bad intent. “There are compelling business reasons for corporations to be able to ‘see into’ encrypted traffic flows,” comments Erka Koivunen, chief information security officer at F-Secure Corporation. “For instance, financial institutions may want to extend their control into encrypted traffic flows in terms of content inspection and Data Loss Prevention. It is no wonder the vendor community is pressurized to come up with ‘innovative’ ways to terminate HTTPS encryption by means of MitM.”

But he doesn’t think using good-intentioned MitM is the answer. “The research by CERT/CC and the US-CERT advisory seem to confirm our point of view,” he told SecurityWeek. “MitM’ing HTTPS traffic adds unnecessary complexity and creates a risky tradeoff between content inspection and communications security.” F-Secure has chosen not to provide an HTTPS inspection capability.

“Most of the functionality can, however, be enforced at an endpoint level,” he added, “and this is where F-Secure has committed to excel. We believe that endpoint security solutions will continue to play a central role in enterprise security. While the ‘other endpoint’ will increasingly reside in the cloud, the security stack needs to be complemented with security in the cloud.”

This won’t suit all organizations; particularly those that choose ‘security in depth’. US-CERT recommends that whether HTTPS inspection is employed or not, organizations should take additional steps to secure communications — and points to the earlier alert (TA15-120A): Securing End-to-End Communications. This recommends using the latest version of TLS or SSL; using certificate pinning; the use of DNS-based Authentication of Named Entities (DANE); and using network notary services.

For HTTPS inspection products, suggests US-CERT, organizations could “use as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography.”

It is true, High Tech Bridge CEO Ilia Kolochenko, told SecurityWeek, “many organizations wrongly implement HTTPS interception by forcing all their client devices to trust any certificate. In a corporate environment, this can significantly facilitate phishing and drive-by-download attacks.” But, he added, “US-CERT’s recommendations, as well as HPKP usage, can solve this problem in a quite reliable manner.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...