The Security Impact of HTTPS Interception
TLS and its predecessor, Secure Sockets Layer (SSL), are important Internet protocols that encrypt communications over the Internet between the client and server, by making an identity chain using digital certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.
In order to work, therefore, an interception device must issue its own trusted certificate to client devices – or users would perpetually see warnings that their connection wasn’t secure.
HTTPS inspection works by intercepting the HTTPS network traffic and performing a man-in-the-middle (MiTM) attack on the connection. Browsers and alternative applications use this certificate to validate encrypted connections however that introduces 2 problems: 1st, it’s impracticable to verify public server’s certificate; but second, and additional significantly, the manner that the inspection product communicates with the online server becomes invisible to the user.
In alternative words, the user will solely make sure that their connection to the interception product is legit, however has no plan whether or not the rest of the communication – to the online server, over the internet – is secure or has been compromised.
And, it seems, several of these middleboxes and interception software package suites do a poor job of security themselves. several don’t properly verify the certificate chain of the server before re-encrypting and forwarding client information. Some do a poor job forwarding certificate-chain verification errors, keeping users within the dark over a attainable attack.
In alternative words: the trouble to visualize that a security system is functioning undermines the terribly security it’s presupposed to be checking.
Consider it as somebody exploit your front entrance wide open whereas they check that the key fits.
Following the academic article describing this issue:
To verify whether your inspection product is performing the proper verification:
Please have also a look to the US-CRT Advisory