HTTPS interception "security" products severely degrade security

https://jhalderm.com/pub/papers/interception-ndss17.pdf

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception.

First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network.

We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and client-side security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.

2 Likes

I’d agree if HTTPS was considered security in the first place. Any CA mediated secure connection is potentially MITM’d. Except Tor which has the keys built-in

2 Likes

ZAP_2.7.0_Linux – I use it all the time if I feel something fishy. Also the old Perspective Add-on for Icecat or Gibson Research fingerprinting. GRC | SSL TLS HTTPS Web Server Certificate Fingerprints  
Or the DNS NSA servers that start with 0 etc… (they might be listed under Google).
Of course I can’t wait for Windows 13 Chinese Home Edition to keep me safe…