My thinking is that the specific finding reported would depend on who the audience of the report is. If you are talking to an organization's administrator who is responsible for selecting and installing the proxy, then a finding about using a "weak" proxy would be appropriate. However, if you are talking to the development team of the proxy, then a finding related to the proxy and its failure to properly validate HTTPS certificates would be appropriate.
It doesn't seem like there is any finding related to the application using HTTPS. Agree?
> -----Original Message-----
> From: [hidden email] [mailto:owner-cwe-research-
> [hidden email]] On Behalf Of Jeffrey Walton
> Sent: Tuesday, March 21, 2017 12:48 PM
> To: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: HTTPS Interception Weakens TLS Security
> Hi Everyone,
> US Cert recently released TA17-075A, "HTTPS Interception Weakens TLS
> Security", https://www.us-cert.gov/ncas/alerts/TA17-075A. It indicts the
> outbound connection of an interception proxy when the interception proxy
> weakens security. Also see Jarmoc's "SSL Interception Proxies and Transitive
> Trust", https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc- > SSL_TLS_Interception-Slides.pdf.
> How do we handle findings in this case? There seems to be several choices
> for findings:
> * a finding against the application for allowing the interception?
> * a finding against the application for using a "weak" proxy?
> * a finding against the proxy?
> There could be two (or more) findings with the data in transit. First, the leg
> consisting of the client to the proxy; and second, the leg consisting of the
> proxy to the intended site. For the client to the proxy, it was discussed at
> http://making-security-measurable.1364806.n2.nabble.com/CVE-or-CWE- > for-using-accepting-wrong-CA-to-certify-a-certificate-td7585480.html.
> But I am not sure if it is applicable in this situation.
> And also keep in mind, the organization which owns the data may not
> authorize the interception. That is, a second organization could be
> performing the interception.
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].