US-Cert: HTTPS Interception Weakness

jstock · March 2017

So I'm sure you guys may have heard the news about HTTPS interception weaknesses concerning certificate validation. If you haven't heard check out the following article on DarkReading, US-CERT Warns That HTTPS Inspection Tools Weaken TLS.

Personally, I am surprised that numerous HTTPS Interception products do not properly validate certificates. I am currently in discussions with our Web Content Filtering product provider on their product's lack of certificate validation. It seems like they have been fully aware of the issue for some time now and with this finding, are now just addressing it.

Thoughts?

636-555-3226 · March 2017

I'm not surprised. Companies do the minimum amount necessary to get the job done. Everybody assumes the guy you're paying money to is giving 110% of his all to make the best product possible. Never in a million years. Same thing with open-source software. People think because someone puts the source code online (think OpenSSL) that an army of anonymous and willing donors are helping to make the best product possible. At the end of the day the majority of people and companies don't care as long as it's working, which it is. Whether it works well is another matter. Until someone looks for weaknesses and complains about them, why put forth any extra effort?

gespenstern · March 2017

Not a big deal. Exploiting this would involve NSA level of power anyways.

wastedtime · March 2017

Like others have said this isn't surprising and vendors should be doing this if they allow SSL breakout. If you are doing this you could have a device sniffing the network doing certificate validation in a passive mode. You could turn off SSL breakout but what would you miss because of encrypted traffic?

US-Cert: HTTPS Interception Weakness

Comments