The Security Impact of HTTPS InterceptionThe Security Impact of HTTPS Interception
  1. publications
  2. web security

The Security Impact of HTTPS Interception

Available Media

Publication (Pdf)

ConferenceNetwork and Distributed Systems Symposium
AuthorsZakir Durumeric , Zane Ma , Drew Springall ,
Citation

Bibtex Citation

@inproceedings{ DURUMERIC2017THE,title = {The Security Impact of HTTPS Interception},author = {"Zakir, Durumeric" and "Zane, Ma" and "Drew, Springall" and "Richard, Barnes" and "Nick, Sullivan" and "Elie, Bursztein" and "Michael, Bailey" and "J Alex, Halderman" and "Vern, Paxson"},booktitle = {Network and Distributed Systems Symposium},year = {2017},organization = {Internet Society}}

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and clientside security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.

Recent

newsletter signup slide

Get cutting edge research directly in your inbox.

newsletter signup slide

Get cutting edge research directly in your inbox.