HTTPS Interception Weakens TLS Security

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HTTPS Interception Weakens TLS Security

Jeffrey Walton
Hi Everyone,

US Cert recently released TA17-075A, "HTTPS Interception Weakens TLS
Security", https://www.us-cert.gov/ncas/alerts/TA17-075A. It indicts
the outbound connection of an interception proxy when the interception
proxy weakens security. Also see Jarmoc's "SSL Interception Proxies
and Transitive Trust",
https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf.

How do we handle findings in this case? There seems to be several
choices for findings:

 * a finding against the application for allowing the interception?
 * a finding against the application for using a "weak" proxy?
 * a finding against the proxy?

There could be two (or more) findings with the data in transit. First,
the leg consisting of the client to the proxy; and second, the leg
consisting of the proxy to the intended site. For the client to the
proxy, it was discussed at
http://making-security-measurable.1364806.n2.nabble.com/CVE-or-CWE-for-using-accepting-wrong-CA-to-certify-a-certificate-td7585480.html.
But I am not sure if it is applicable in this situation.

And also keep in mind, the organization which owns the data may not
authorize the interception. That is, a second organization could be
performing the interception.

Jeff

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: HTTPS Interception Weakens TLS Security

Andrew Buttner
Administrator
Jeff,

My thinking is that the specific finding reported would depend on who the audience of the report is. If you are talking to an organization's administrator who is responsible for selecting and installing the proxy, then a finding about using a "weak" proxy would be appropriate. However, if you are talking to the development team of the proxy, then a finding related to the proxy and its failure to properly validate HTTPS certificates would be appropriate.

It doesn't seem like there is any finding related to the application using HTTPS. Agree?

Thanks
Drew


> -----Original Message-----
> From: [hidden email] [mailto:owner-cwe-research-
> [hidden email]] On Behalf Of Jeffrey Walton
> Sent: Tuesday, March 21, 2017 12:48 PM
> To: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: HTTPS Interception Weakens TLS Security
>
> Hi Everyone,
>
> US Cert recently released TA17-075A, "HTTPS Interception Weakens TLS
> Security", https://www.us-cert.gov/ncas/alerts/TA17-075A. It indicts the
> outbound connection of an interception proxy when the interception proxy
> weakens security. Also see Jarmoc's "SSL Interception Proxies and Transitive
> Trust", https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-
> SSL_TLS_Interception-Slides.pdf.
>
> How do we handle findings in this case? There seems to be several choices
> for findings:
>
>  * a finding against the application for allowing the interception?
>  * a finding against the application for using a "weak" proxy?
>  * a finding against the proxy?
>
> There could be two (or more) findings with the data in transit. First, the leg
> consisting of the client to the proxy; and second, the leg consisting of the
> proxy to the intended site. For the client to the proxy, it was discussed at
> http://making-security-measurable.1364806.n2.nabble.com/CVE-or-CWE-
> for-using-accepting-wrong-CA-to-certify-a-certificate-td7585480.html.
> But I am not sure if it is applicable in this situation.
>
> And also keep in mind, the organization which owns the data may not
> authorize the interception. That is, a second organization could be
> performing the interception.
>
> Jeff
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].
Loading...