DeepAI AI Chat
Log In Sign Up

The Sorry State of TLS Security in Enterprise Interception Appliances

by   Louis Waked, et al.

Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons for doing so are primarily related to improving enterprise security (e.g., malware detection) and meeting legal requirements. To analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle TLS proxy, by acting as the intended web server to a requesting client (e.g., a browser), and acting as the client to the outside web server. As such, the TLS proxy must implement both a TLS client and a server, and handle a large amount of traffic, preferably, in real-time. However, as protocol and implementation layer vulnerabilities in TLS/HTTPS are quite frequent, these proxies must be, at least, as secure as a modern, up-to-date web browser, and a properly configured web server. As opposed to client-end TLS proxies (e.g., as in several anti-virus products), the proxies in network appliances may serve hundreds to thousands of clients, and any vulnerability in their TLS implementations can significantly downgrade enterprise security. To analyze TLS security of network appliances, we develop a comprehensive framework, by combining and extending tests from existing work on client-end and network-based interception studies. We analyze thirteen representative network appliances over a period of more than a year (including versions before and after notifying affected vendors, a total of 17 versions), and uncover several security issues. For instance, we found that four appliances perform no certificate validation at all, three use pre-generated certificates, and eleven accept certificates signed using MD5, exposing their clients to MITM attacks. Our goal is to highlight the risks introduced by widely-used TLS proxies in enterprise and government environments, potentially affecting many systems hosting security, privacy, and financially sensitive data.


page 1

page 2

page 3

page 4


Secure Consistency Verification for Untrusted Cloud Storage by Public Blockchains

This work presents ContractChecker, a Blockchain-based security protocol...

Very Pwnable Network: Cisco AnyConnect Security Analysis

Corporate Virtual Private Networks (VPNs) enable users to work from home...

Gelato: Feedback-driven and Guided Security Analysis of Client-side Web Applications

Even though a lot of effort has been invested in analyzing client-side w...

DNS-Morph: UDP-Based Bootstrapping Protocol For Tor

Tor is one of the most popular systems for anonymous communication and c...

Real-time disease prediction with local differential privacy in Internet of Medical Things

The rapid development in Internet of Medical Things (IoMT) boosts the op...

Understanding the Tradeoffs in Client-Side Privacy for Speech Recognition

Existing approaches to ensuring privacy of user speech data primarily fo...

TOPCAT Visualisation over the Web

The desktop GUI catalogue analysis tool TOPCAT, and its command-line cou...