Killed by Proxy: Analyzing Client-end TLS Interception Software

Published
Credit
Risk
2015.12.30
concordia
Medium
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

Abstract—To filter SSL/TLS-protected traffic, some antivirus
and parental-control applications interpose a TLS proxy in the
middle of the host’s communications. We set out to analyze such
proxies as there are known problems in other (more matured)
TLS processing engines, such as browsers and common TLS
libraries. Compared to regular proxies, client-end TLS proxies
impose several unique constraints, and must be analyzed for
additional attack vectors; e.g., proxies may trust their own root
certificates for externally-delivered content and rely on a custom
trusted CA store (bypassing OS/browser stores). Covering existing
and new attack vectors, we design an integrated framework to
analyze such client-end TLS proxies. Using the framework, we
perform a thorough analysis of eight antivirus and four parentalcontrol
applications for Windows that act as TLS proxies, along
with two additional products that only import a root certificate.
Our systematic analysis uncovered that several of these tools
severely affect TLS security on their host machines. In particular,
we found that four products are vulnerable to full server
impersonation under an active man-in-the-middle (MITM) attack
out-of-the-box, and two more if TLS filtering is enabled. Several
of these tools also mislead browsers into believing that a TLS
connection is more secure than it actually is, by e.g., artificially
upgrading a server’s TLS version at the client. Our work is
intended to highlight new risks introduced by TLS interception
tools, which are possibly used by millions of users.

More here:
https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf

References:

https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com