Waked, Louis ORCID: https://orcid.org/0000-0002-2799-7184 (2018) Analyzing TLS Interception in Middleware Network Appliances. Masters thesis, Concordia University.
Preview |
Text (application/pdf)
3MBWaked_MASc_F2018.pdf - Accepted Version Available under License Spectrum Terms of Access. |
Abstract
Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons are primarily related to improving enterprise security (e.g., phishing and malicious traffic detection) and meeting legal requirements (e.g., preventing unauthorized data leakage, complying with laws such as the US Health Insurance Portability and Accountability Act, HIPAA). To be able to analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle TLS proxy, by acting as the intended web server to a requesting client (e.g., a browser), and acting as the client to the actual/outside web server. As such, the TLS proxy must implement both a TLS client and a server, that can handle a large amount of traffic (preferably, in real-time). However, as protocol and implementation layer vulnerabilities in TLS/HTTPS are quite frequent, these proxies at least be as secure as a modern, up-to-date web browser (e.g., Chrome, Firefox), and a properly configured web server (e.g., an A+ rating in SSLlabs.com). As opposed to client-end TLS proxies (e.g., as implemented in several anti-virus products), the proxies in network appliances may serve tens to hundreds of clients, and any vulnerability in their TLS implementations can significantly downgrade an enterprise's security level.
To analyze TLS security of network appliances, we develop a comprehensive testing framework, by combining and extending tests from existing work on client-end and network-based interception studies. We analyze 13 representative network appliances over a period of more than a year (including multiple product versions, before and after notifying affected vendors, a total of 17 versions), and uncover several security issues regarding TLS version and certificate parameters mapping, CA trusted stores, private keys, and certificate validation tests. For instance, we found that four appliances perform no certificate validation at all, three use pre-generated certificates, and 11 accept certificates signed using the MD5 algorithm, exposing their end-clients to MITM attacks. Our goal is to highlight the risks introduced by widely-used TLS proxies in enterprise and government environments, potentially affecting many systems hosting security, privacy, and financially sensitive data.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
---|---|
Item Type: | Thesis (Masters) |
Authors: | Waked, Louis |
Institution: | Concordia University |
Degree Name: | M.A. Sc. |
Program: | Information and Systems Engineering |
Date: | 14 June 2018 |
Thesis Supervisor(s): | Youssef, Amr |
ID Code: | 984502 |
Deposited By: | Louis Waked |
Deposited On: | 16 Nov 2018 16:23 |
Last Modified: | 16 Nov 2018 16:23 |
Repository Staff Only: item control page