Q
Problem solve Get help with specific problems with your technologies, process and projects.

Why do HTTPS interception tools weaken TLS security?

HTTPS interception tools help protect websites, but they can also hurt TLS security. Expert Judith Myerson explains how this works and what enterprises can do about it.

Many companies use HTTPS to better protect their websites, but I just found out HTTPS interception can weaken TLS...

security. How does this happen? What measures are available to prevent attackers from taking advantage of this weakness?

All HTTPS interception products intercept HTTPS network traffic and perform a man-in-the-middle attack on the encrypted connection to make sure the attack doesn't succeed.

To get the HTTPS interception products to work, the administrators must install trusted certificates, including the server-side Transport Layer Security (TLS) certificate. TLS is a protocol that encrypts communications between the client and server. Browsers and other client applications use the certificate to validate encrypted connections created by the HTTPS interception product.

To secure a website, a trusted third party needs to install the certificate on a legitimate server. If you enter https:// without the certificate installed, the browser will alert you that it can't connect securely to the page it's trying to reach. If the connection failure message comes up after the certificate is installed, you should check with the third party to find out if the failure is due to improper TLS security settings. If the settings are proper, you should ask to rebound the certificate to your account.

The problem is some organizations aren't making sure their HTTPS interception products are performing correct TLS certificate validation. The client systems have no way of independently validating the HTTPS connection. The failure of some interception products to send warnings or error messages to the user weakens the protections HTTPS aims to provide.

To prevent attackers from taking advantage of this weakness, organizations should:

  • Consider the pros and cons of HTTPS interception products before implementing them.
  • Verify the product properly validates certificate chains and passes any warnings or errors to the client.
  • Read "The Risks of SSL Inspection" for a list of potentially affected software.
  • Take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about the benefits and limitations of using HTTPS

Find out how to avoid HTTPS traffic exploits

Discover how an HTTPS session gets hijacked with the Forbidden attack

This was last published in June 2017

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close