The fact that "SSL inspection" is a phrase that exists, should be a blazing red flag that what you think SSL is doing for you is fundamentally broken. Compounding the problem are the mistakes that SSL inspection software authors are making.
-- Will Dormann (2015), Carnegie Melon Software Engineering Institute CERT/CC Blog
Note these issues are always bugs in the middlebox products. TLS version negotiation is backwards compatible, so a correctly-implemented TLS-terminating proxy should not require changes to work in a TLS-1.3-capable ecosystem. It can simply speak TLS 1.2 at both client <-> proxy and proxy <-> server TLS connections. That these products broke is an indication of defects in their TLS implementations
-- David Benjamin, (2017), Chromium Bug Tracker
TLS Interception, also referred to as SSL Inspection, has been in the news in recent years and months. Back in 2014, researchers from Brigham Young University published a paper titled TLS Proxies: Friend or Foe? where they deployed a Flash application via Google Adwords campaign to identify client-server certificate mismatches across the web. They discovered a wide prevalence of adware, malware and TLS proxy products presenting certificates trusted by the client but not issued by the server -- and in most instances acting in a negligant manner by introducing security vulnerabilities. One parental filter they tested replaced untrusted certificates with trusted ones. This is exactly the type of passive attack HTTPS aims to prevent.
Vulnerabilities involving two advertisement injectors, one of which was preinstalled on Lenovo PCs, were found to severely compromise the security of end users in February of 2015. Later that same year German journalist Hanno Böck looked at three popular antivirus suites and found that all lowered security by either exposing end users to vulnerabilities like FREAK and CRIME or supporting less secure encrpytion algoritgms.
In 2017 researchers teamed up with Google, Mozilla, and Cloudflare for an internet-wide survey The Security Impact of HTTPS Interception. TLS interception software was assessed based on how the observed TLS connection differed from the TLS parameters advertised by the client. In all but two of the tested products, security was reduced, and in some cases serious vulnerabilities were introduced. Most recently in February of 2017, a Chrome 56 update took down almost a third of Montgomery County Public School's 50,000 fleet of Chromebooks offline, because the school systems web filter, BlueCoat Proxy, mishandled TLS 1.3 connections.
SSL/TLS inspection is performed by software on "middleboxes" located in between the client and HTTPS website or on the client’s machine, in the case of malware, anti-virus software, and ad injectors. Middlebox software has both legitimate and illegitimate use cases and often belongs to one of the following categories:
- proxies or content filters
- antivirus suites
- content cachers
- advertisement injectors
- malware
Figure 1 from [The Security Impact of HTTPS Interception (2017)](https://zakird.com/papers/https_interception.pdf)
Middlebox proxy software relies on the client having previously installed a root certificate onto their operating system. Any outgoing SSL/TLS connections from the client are terminated and re-established by the proxy to the server. In an ideal situation, the proxy's ClientHello mirrors the TLS parameters expressed in client's ClientHello. The proxy can then inspect plaintext and establish a TLS connection back to the client using the installed certificate to circumvent browser warnings and silently man-in-the-middle the connection between client and server.
In 2015, there was in an incident involving Lenovo PC's shipped with a preinstalled image advertisement optimizer developed by Superfish. Superfish used Komodia's tool "SSL hijacker" to intercept HTTPS connections in order to gather image data for its ad optimization engine. Komodia's tool is similar to to all SSL inspectors: first installing root certificates on the machine and then MITM'ing all TLS connections to HTTPs websites, issuing their preinstalled certificate to the client instead of the HTTPS server's certificate to bypass browser warnings.
The issue was the private key for the certificate was hardcoded into the software, meaning it was the same private key for every machine running Superfish. It didn't take long for security researcher Robert Grahm to crack the password for the private key. (it was 'komodia').
At the time, this meant an adversary could MITM any client running Superfish by using using a copy of this hardcoded certificate. Komodia released a security notice saying they fixed the issue by updating the software to create unique certificates per installation and randomly generated passwords. They also patched other vulnerabilities such as updating their list of supported cipher suites and verifying certificate revocation statuses. The countermeasures outlined in their security notice serve as a starting point for all HTTPS interception software developers.
Shortly after the Superfish incident, a software named PrivDog made by Adtrustmedia was also found to be vulnerable. PrivDog is an advertisement program which intercepts HTTPS connections and replaces "bad" advertisements with advertisements approved by Adtrustmedia.
Privdog, like the aforementioned parental filter, simply replaced certificates for a HTTPS server with the root certificate they installed on the affected machine, without any validation of the original certificate. So not only did it make untrusted certificates seem trusted, but legitimite websites with EV Certificates were replaced with PrivDog's self signed certificate removing the green browser indication. Any website an affected user visited with an invalid certificate would appear valid, without browser warnings. In addition, an adversary could actively MITM any client running PrivDog by creating a self-signed certificate.
from [The Security Impact of HTTPS Interception (2017)](https://zakird.com/papers/https_interception.pdf)
In early 2017, researchers teamed up with Google, Mozilla and Cloudflare in efforts to measure TLS interception in an internet wide study. They noted that TLS interception software can be detected from the server's point of view by identifying a mismatch between popular browsers TLS handshakes and the observed handshake. Going one step further, by observing the TLS handshakes of popular interception software they were able to construct fingerprints for some of the most widely used interception products.
The study measured interception from the vantage point of the Cloudflare CDN, Firefox Update servers, and popular e-commerce sites. Important results from the study found that about 5-10% of measured HTTPS connections were intercepted, and many of the software reduced the security of the end user in one way or another, with 97%, 54%, and 32% of connections to Firefox, Cloudflare, and e-commerce sites becoming less secure respectively. Interestingly, the only middlebox software to earn a grade of ‘A’ was BlueCoat Proxy.
February 21 2017, a few weeks after the Google paper was published, mishandling of TLS 1.3 connections by BlueCoat Proxy left thousands of clients without internet connection after an automatic Chrome 56 update. The problem wasn’t that BlueCoat Proxy didn’t implement TLS 1.3, but that it didn’t gracefully renegotiate down to TLS 1.2 which it does support. This left tens of thousands of Chromebooks used by Montgomery County Public Schools students temporarily unable to connect to the internet. The temporary solution was for individual users to alter Chrome's internal settings to disable TLS 1.3 chrome://flags/#ssl-version-max until a more general solution was delivered the following day.
Whether it be at the cost of availability or end user security, these incidents expose the fragility of TLS interception software. Google has reached out to middlebox vendors in efforts to help them resolve the issues and but at the same time, vendors should independently strive to fix their products for the security of their users. From the othe prespective, organizations should choose products in an informed manner, consulting the results of the "The Security Impact of HTTPS Interception" to decide whether a product's treatment of TLS connections reflects their security needs.
from [The Security Impact of HTTPS Interception (2017)](https://zakird.com/papers/https_interception.pdf)