Login | Register

Analyzing TLS Interception in Middleware Network Appliances


Analyzing TLS Interception in Middleware Network Appliances

Waked, Louis ORCID: https://orcid.org/0000-0002-2799-7184 (2018) Analyzing TLS Interception in Middleware Network Appliances. Masters thesis, Concordia University.

[thumbnail of Waked_MASc_F2018.pdf]
Text (application/pdf)
Waked_MASc_F2018.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons are primarily related to improving enterprise security (e.g., phishing and malicious traffic detection) and meeting legal requirements (e.g., preventing unauthorized data leakage, complying with laws such as the US Health Insurance Portability and Accountability Act, HIPAA). To be able to analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle TLS proxy, by acting as the intended web server to a requesting client (e.g., a browser), and acting as the client to the actual/outside web server. As such, the TLS proxy must implement both a TLS client and a server, that can handle a large amount of traffic (preferably, in real-time). However, as protocol and implementation layer vulnerabilities in TLS/HTTPS are quite frequent, these proxies at least be as secure as a modern, up-to-date web browser (e.g., Chrome, Firefox), and a properly configured web server (e.g., an A+ rating in SSLlabs.com). As opposed to client-end TLS proxies (e.g., as implemented in several anti-virus products), the proxies in network appliances may serve tens to hundreds of clients, and any vulnerability in their TLS implementations can significantly downgrade an enterprise's security level.

To analyze TLS security of network appliances, we develop a comprehensive testing framework, by combining and extending tests from existing work on client-end and network-based interception studies. We analyze 13 representative network appliances over a period of more than a year (including multiple product versions, before and after notifying affected vendors, a total of 17 versions), and uncover several security issues regarding TLS version and certificate parameters mapping, CA trusted stores, private keys, and certificate validation tests. For instance, we found that four appliances perform no certificate validation at all, three use pre-generated certificates, and 11 accept certificates signed using the MD5 algorithm, exposing their end-clients to MITM attacks. Our goal is to highlight the risks introduced by widely-used TLS proxies in enterprise and government environments, potentially affecting many systems hosting security, privacy, and financially sensitive data.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Waked, Louis
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information and Systems Engineering
Date:14 June 2018
Thesis Supervisor(s):Youssef, Amr
ID Code:984502
Deposited By: Louis Waked
Deposited On:16 Nov 2018 16:23
Last Modified:16 Nov 2018 16:23
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top