Everyone gets HTTPS interception wrong - just don't do it


  • Moderator

    https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html

    "So what do we make out of this? A lot of software products intercept HTTPS traffic (antiviruses, adware, youth protection filters, …), many of them promise more security and everyone gets it wrong.

    I think these technologies are a misguided approach. The problem is not that they make mistakes in implementing these technologies, I think the idea is wrong from the start. Man in the Middle used to be a description of an attack technique. It seems strange that it turned into something people consider a legitimate security technology. Filtering should happen on the endpoint or not at all. Browsers do a lot these days to make your HTTPS connections more secure. Please don't mess with that.

    I question the value of Antivirus software in a very general sense, I think it's an approach that has very fundamental problems in itself and often causes more harm than good. But at the very least they should try not to harm other working security mechanisms."



  • I fully share, 100%, at least for what concerns MITM.
    Implementing this would mean to break the HTTPS (tunneling in general) rules. Does it make sense ?

    Does it mean that no anti-virus has to be deployed at infrastructure level, attached to services like mail, HTTP, FTP, NAS ?
    I don't think so.
    IMO, it does help, if limited to non-encrypted flow, to have such tools here as it permits to deploy different anti-virus engine at client level and therefore have wider analysing (at the risk of more false positive I do agree).



  • mitm = evil
    it'll always be evil no matter what false sense of protection they can provide by supplying your system with false certs …

    Filtering should happen on the endpoint or not at all.

    filtering should happen first and foremost in ones head …. unfortunately everyone likes to click on "you are the 100000000th visitor"



  • @heper:


    .... unfortunately everyone likes to click on "you are the 100000000th visitor"

    Count me out  ;)


  • Rebel Alliance Developer Netgate

    Count you out? Perhaps it wasn't blingy enough:

    You are the 100000000th visitor!

    You can't resist clicking that one, now, can you? :-)



  • My company uses UTM filtering a fair bit to control garbage like bittorrent, viruses, and malware from entering the network through the gateway (and stop infected machines on the network from reaching out to attack others, too - it's easy to spot the infected machine from the logs). Sure, not everything is detected, but it's just one layer in a well protected network. We typically use SonicWALLs with the gateway security services enabled.

    Endpoint security helps, too, but too often by the time it engages, it's already too late. Everything knows how to disable the McAfee / Symantec / Windows Essentials / Whatever-you-have endpoint protection these days. I can't tell you how many machines I see with up to date antivirus / antimalware on it that's claiming all is well, when it's clearly completely infected. At best, most of the end point protection solutions are just a "most of the time" alert that something just infected the machine as it's time to call someone for help.

    At least with UTM filtering, the incoming download has a chance of being detected and the download killed before it can finish transferring. That's like stopping a burglar at the fence to your yard, before he enters the house, rather than waiting until he's inside stealing your stuff to try and stop him. I prefer proactive, rather an reactive defense.

    But, with so much of the malware and nasty bandwidth-sucking services heading to HTTPS connections, where it can hide from most UTM gateways, you start having no choice but to implement HTTPS filtering. It's a huge pain to get working right, but it's becoming almost necessary to keep the network safe from those happy clickers in the office or home. If set up right, it's usually pretty transparent to the user. All they know is they didn't get infected while searching for "barenaked ladies", trying to buy tickets.

    So, while yeah, man-in-the-middle is evil when someone is trying to steal your credit card or hijack your VPN, like all things, it depends on why it's being done and by who.



  • The problem with HTTPS interception is you break end-to-end authentication. If your MITM software signs everything that comes through as "trust this", you can run into a lot of issues.

    Nutshell. HTTPS does both encryption and signing and some software assumes the signing is trustworthy. You break that trust. There are attacks that take advantage of this and get your OS to trust whatever is being sent to it, like via Windows Updates. Normally HTTPS to update.windows.com handles the authentication, but if you sign the response, how does the computer know if update.windows.com doesn't point to some other server in Russia or China? It doesn't.



  • The issue at hand is how can you provide adequate content filtering if you don't intercept SSL? I am fully aware of the consequences of doing so and ethically it isn't right. When more and more domains are switching to secure browsing methods it makes it impossible to provide a business or home environment that is free from inappropriate materials.



  • @maverik1:

    The issue at hand is how can you provide adequate content filtering if you don't intercept SSL?

    You configure things with a proxy, not try to MITM it.



  • perhaps you should also consider writing a policy and ask the users to comply with it.

    imho, the interwebs have been founded with the idea in mind to get rid of censorship.
    governments, however, try very hard to keep control by passing ridiculous laws to invade people's privacy.  (and have backdoors in encryption or have worldwide mitm)

    it's everyones choice to decide to be evil or less-evil. make your choice.



  • @cmb:

    @maverik1:

    The issue at hand is how can you provide adequate content filtering if you don't intercept SSL?

    You configure things with a proxy, not try to MITM it.

    You can see how well that works by configuring the proxy and then searching for inappropriate content in Google. All I wanting to implement is the ability to filter what is searched for. I don't need any results appearing that are outside of suitability.


  • LAYER 8 Netgate

    Exactly why google puts their searches inside HTTPS.  You might consider blocking google if you don't want your users to receive google search results.



  • @heper:

    perhaps you should also consider writing a policy and ask the users to comply with it.

    No one is going to write a policy for their home network. We are talking about innocent children having access to filth. Google should be ashamed for allowing https searches. One misspelled word or fat finger and you instantly have access to garbage. I don't need any inappropriate results appearing. If the search term is inappropriate it should be flagged and so and therefore yield no results.



  • @Derelict:

    Exactly why google puts their searches inside HTTPS.  You might consider blocking google if you don't want your users to receive google search results.

    If they want to put searches through https they need to provide a solution to businesses, school systems and or home users to filter what is passed to the search engine by implementing a http option.


  • Rebel Alliance Developer Netgate

    You get exactly the same results with SSL interception that you do by configuring a proxy on the user's computer.

    Block direct outbound access to tcp/443 and force people to use the proxy explicitly. What you allow through the proxy is up to you. Interception is the wrong way to do it.

    Locking topic since it's degenerating.


Log in to reply