The National Security Agency (NSA) published an advisory that addresses the risks behind Transport Layer Security Inspection (TLSI) and provides mitigation measures for weakened security in organizations that use TLSI products.
TLSI(akaTLS break and inspect) is the process through which enterprises can inspect encrypted traffic with the help of a dedicated product such as a proxy device, a firewall, intrusion detection orprevention systems (IDS/IPS)that can decrypt and re-encrypt traffic encrypted with TLS.
While some enterprises use this technique for monitoring potential threats such as data exfiltration, active command and control (C2) communication channels, or malware delivery via encrypted traffic, this will also introduce risks.
Enterprise TLSI products that don't properly validatetransport layer security (TLS) certificates, for instance, will weaken the end-to-end protection provided by the TLS encryption to the end-users, drastically increasingthe likelihood that threat actors will target them in man-in-the-middle attack (MiTMP) attacks.
The use of a not properly functioning forwardproxy with TLSI capabilities can lead to unexpected consequences such as rerouting decrypted network traffic to an external network, traffic that can be intercepted by third party inspection devices that can get unauthorized access to sensitive data.
"Deploying firewalls and monitoring network traffic flow on all network interfaces to the forward proxy helps protect a TLSI implementation from potential exploits," the NSA says.
"Implementing analytics on the logs helps ensure the system is operating as expected. Both also help detect intentional and unintentional abuse by security administrators as well as misrouted traffic."
When it's essential to use a TLSI product, the NSA recommends independently validated products that can properly implement data flow, TLS, and CA functions.
Moreover,products validated by the National Information Assurance Partnership (NIAP) "and configured according to the vendors instructions used during validation" should meet the requirements.
Since TLSI will take place in real-time and, to work, TLSI products have to manage two separate TLS connections, this could and will, in most cases, lead to TLS chaining issues that cause TLS protection downgrade problems, eventually leading to potential exploitation of weaker cipher suites and TLS versions.
TLSI forward proxy devices also come with a built-incertification authority (CA) function used for creating and signing new certificates, an embedded and trusted CA that could be used by bad actors "to sign malicious code to bypass host IDS/IPSs or to deploy malicious services that impersonate legitimate enterprise services to the hosts" upon a successful attack.
Attackers could also directly exploit the TLSI devices where the traffic is decrypted thus gaining access to plaintext traffic, while an insider threat such as anauthorized security admin "could abuse their access to capture passwords or other sensitive data visible in the decrypted traffic."
"To minimize the risks described above, breaking and inspecting TLS traffic should only be conducted once within the enterprise network," the NSA advisory adds.
"Redundant TLSI, wherein a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same, should not be performed."
More measures to mitigate risks stemming from the use of TLSI devices in an enterprise network are provided by the NSA as part of its security advisory on Managing risk from Transport Layer Security Inspection[PDF].
"The mitigations described above can reduce the risks introduced by a TLSI capability, provide indicators that alert administrators if the TLSI implementation may have been exploited, and minimize unintended blocking of legitimate network activity," the NSA adds.
"In this way, security administrators can successfully add TLSI to their arsenal and continue to step up their methods to combat todays adversaries and TTPs."
The Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert onrisks associated with HTTPS inspection in March 2017, stating that "in general, organizations considering the use of HTTPS inspection should carefully consider the pros and cons of such products before implementing."
"Organizations should also take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A" onsecuring end-to-end communicationsCISA says.
A list of potentially affected software used for TLSIcompiled by CERT/CC vulnerability analystWill Dormann is available herewhilea simple tool for checking if aTLSI productis correctly verifying certificate chains can be found atbadssl.com.
- The Senate Judiciary Committee Wants Everyone to Know It's Concerned About Encryption - EFF - December 14th, 2019
- The Defense Department Says It Needs the Encryption the FBI Wants to Break - Free - December 14th, 2019
- Congress wants to regulate encryption for big tech - The Burn-In - December 14th, 2019
- Facebook says it won't break end-to-end encryption - TechRadar - December 14th, 2019
- Encryption spat sees backdoor back-and-forth between tech firms, Congress - TelecomTV - December 14th, 2019
- Michael Hayden Ran The NSA And CIA: Now Warns That Encryption Backdoors Will Harm American Security & Tech Leadership - Techdirt - December 14th, 2019
- Large, diverse coalition of civil society groups tell the US, UK and Australian governments not to ban working encryption - Boing Boing - December 14th, 2019
- U.S. Attorney Justin Herdman of Ohio says agents need access encrypted devices, apps for the sake of public s - cleveland.com - December 14th, 2019
- Google makes it safer to text on Android phones, but end-to-end encryption is still MIA - PCWorld - December 14th, 2019
- Priti Patel bids to create end-to-end encryption apps' back door - The National - December 14th, 2019
- Encryption can't put tech giants beyond the reach of the law, Minister says - The Age - December 14th, 2019
- Chrome 79 includes anti-phishing and hacked password protection - Naked Security - December 14th, 2019
- Hardware Encryption Technology Market : Analysis and In-depth study on market Size Trends, Emerging Growth Factors and Forecasts to 2027 - Downey... - December 14th, 2019
- Encryption back on the congressional agenda - Politico - December 9th, 2019
- Police radios blocked from the public in southeast Denver metro area - The Denver Post - December 9th, 2019
- Encryption Software Market Innovations, And Top Companies - Forecast To 2029| Microsoft, Sophos Ltd., Check Point Software Technologies Ltd. -... - December 9th, 2019
- Did You Hear That? Securing Communications in 2019 | Insight for the Connected Enterprise - No Jitter - December 9th, 2019
- 'Government broke their promise': Labor seeks to amend encryption legislation - Sydney Morning Herald - December 9th, 2019
- Global Hardware-based Full Disk Encryption Market 2019 Innovation and Technological Developments, Industry Analysis & Outlook 2023 - Weekly News... - December 9th, 2019
- Privacy vs public safety - the pros and cons of encryption - World Economic Forum - December 8th, 2019
- 80% of all Android apps encrypt traffic by default - We Live Security - December 8th, 2019
- Keybase moves to stop onslaught of spammers on encrypted message platform - Ars Technica - December 8th, 2019
- Labor says it will fix encryption laws it voted for last year - ZDNet - December 8th, 2019
- Nick Clegg to be summoned to Parliament to give evidence on Facebook encryption - Sunriseread - December 8th, 2019
- This startup just solves the data privacy problem by making it possible to search encrypted data in the cloud - TechStartups.com - December 8th, 2019
- Encryption Software Market to Discern Magnified Growth During 2017-2027 - Weekly Spy - December 8th, 2019
- Millions of Private Text Messages Have Been Exposed: Here's How to Encrypt Messages on iPhone and Android - Tech Times - December 8th, 2019
- Biometric Data Encryption Device Market : Analysis and In-depth study on market Size Trends, Emerging Growth Factors and Forecasts to 2018 to 2028 -... - December 8th, 2019
- Certbot Leaves Beta with the Release of 1.0 - EFF - December 8th, 2019
- Terrific News for Android OS Users 80% Android apps encrypting traffic by default - Digital Information World - December 8th, 2019
- Hawk Security Limited Began Selling a Hardware-Protected External SSD Drive with Aes 256 XTS Military Grade Encryption - AiThority - December 8th, 2019
- Data security is falling behind as over half of FIs experience data breaches - IBS Intelligence - December 8th, 2019
- Email Encryption Market 2019, Trend, CAGR Status, Growth, Analysis and Forecast to 2025 - VaporBlash - December 8th, 2019
- Encryption Software Market 2019 Size, CAGR Status, Key Players, Growth Analysis and Forecast to 2026 - The Market Publicist - December 2nd, 2019
- Global Encryption Software Market Industry Analysis and Forecast (2018-2026) - Daily Research Stack - December 2nd, 2019
- Fortinet took 18 months to strip software of flawed crypto cipher and keys - The Daily Swig - December 1st, 2019
- Mobile Encryption Market Competitive Research And Precise Outlook 2019 To 2025 - The Market Publicist - December 1st, 2019
- NordPass: Get rid of password stress. Forever. - EE Journal - December 1st, 2019
- Apple patents anti-snooping technology that would stop police from tracking locations and messages - Stock Daily Dish - December 1st, 2019
- Encryption Software Market Research Report by Geographical Analysis and Forecast 2017-2027 - Kentucky Reports - November 28th, 2019
- Encryption Key Management Software Market : Industry Research, Growth Trends And Opportunities For The Forecast Period 2019-2029 - News Description - November 28th, 2019
- iStorage cloudAshur is named: Security Innovation of the Year at the UK IT Industry Awards 2019 - ResponseSource - November 28th, 2019
- Database Encryption Market Analysis Report by Product Type, Industry Application and Future Technology 2025 (International Business Machines... - November 28th, 2019
- The IT Guide to Enforcing Full Disk Encryption Windows Edition - Security Boulevard - November 28th, 2019
- Why The FBI's Former Top Lawyer Now Embraces Encryption - Law360 - November 28th, 2019
- Big Boom in Cloud Encryption Market over 2019-2026 with CipherCloud Inc., Hytrust Inc., Gemalto NV, IBM Corporation and more - Market Expert - November 28th, 2019
- Encrypted Flash Drives Market Size, Growth, Global Industry Analysis, Share, Segments and Forecast 2019-2024 - Space Market Research - November 28th, 2019
- Encryption Software Market 2019 Global Industry Status, Segment by Region, Type and Future Forecast To 2026 - Financial News - November 28th, 2019
- FBI worried about criminals having unfettered access to encryption technology - KTVI Fox 2 St. Louis - November 23rd, 2019
- What Is End-to-End Encryption? Another Bulls-Eye on Big Tech - The New York Times - November 23rd, 2019
- Think of the children: FBI sought Interpol statement against end-to-end crypto - Ars Technica - November 23rd, 2019
- Global Hardware-based Full Disk Encryption Market By Industry Business Plan, Manufacturers, Sales, Supply, Share, Revenue and Forecast Report... - November 23rd, 2019
- Moniker makes a statement with The Encryption EP - The Untz - November 23rd, 2019
- Global Mobile Encryption Market By Industry Business Plan, Manufacturers, Sales, Supply, Share, Revenue and Forecast Report 2019-2024 - BeetleVersion - November 23rd, 2019
- Encryption Key Management Software Market Research Report: Market Analysis on the Future Growth Prospects and Market Trends Adopted by the... - November 23rd, 2019
- Microsoft Windows 10 To Natively Support DNS Over HTTPS Encryption And Obfuscation Technique Making Internet Traffic Monitoring Near Impossible -... - November 23rd, 2019
- Import EFS File Encryption Certificate and Key (PFX file) in Windows 10 - TWCN Tech News - November 23rd, 2019
- What Is Homomorphic Encryption? And Why Is It So Transformative? - Forbes - November 19th, 2019
- FBI Recruits Interpol to Condemn End-to-End Encryption - WebProNews - November 19th, 2019
- Is encryption to blame for WhatsApp snooping? - Livemint - November 19th, 2019
- BEST PRACTICES: Resurgence of encrypted thumb drives shows value of offline backups in the field - Security Boulevard - November 19th, 2019
- Astonishing Growth in Global encryption software market size was valued at USD 2.98 billion in 2018. It is projected to post a CAGR of 16.8% from 2019... - November 19th, 2019
- Encryption Software Market Overview, Latest Analysis and Future Forecast 2019 2025 - Markets Gazette 24 - November 19th, 2019
- With end-to-end encryption, we wouldn't be able to listen in even if we wanted to, says Facebook's Stan Chudnovsky - Mumbrella Asia - November 19th, 2019
- Microsoft Jumps on the DoH Train Company to Introduce Encrypted DNS - Computer Business Review - November 19th, 2019
- Global Mobile Encryption Technology Market 2018 Manufacturers, Types and Application, Analysis History and Forecast 2025 - Galus Australis - November 19th, 2019
- Hardware Encryption Market Growth Forecast Analysis by Top Manufacturers, Regions, Product Types and Application (2019 - 2026) - News Obtain - November 19th, 2019
- The Best Encryption Software for 2019 | PCMag.com - October 21st, 2019
- What is data encryption? - October 19th, 2019
- USB Enforced Encryption - Endpoint Protector - October 19th, 2019
- Authenticated encryption - Crypto++ Wiki - October 19th, 2019
- Tinder's Lack of Encryption Lets Strangers Spy on Your ... - October 19th, 2019
- 'Without Encryption, We Will Lose All Privacy': Snowden ... - October 18th, 2019
- Security pros reiterate warning against encryption backdoors - October 18th, 2019
- Encryption - servicepro.wiki - October 18th, 2019
- Mozy Encryption - October 18th, 2019
- Optical Encryption Market Size, Share, Trends and Forecast ... - October 18th, 2019
- MySQL Enterprise Transparent Data Encryption (TDE) - October 18th, 2019
- What is Encryption? - Definition from WhatIs.com - October 17th, 2019
- How to Set Up BitLocker Encryption on Windows - October 2nd, 2019