The United States Computer Emergency Readiness Team (“US-CERT”) announced last week that HTTPS interception may weaken Transport Layer Security (TLS), a widely used cryptographic protocol that encrypts communication between the client and the server. This issue may cause browsers to not validate HTTPS connections, therefore increasing the probability of a man-in-the-middle (“MiTM”) attack via malware that uses HTTPS connections to malicious servers. MiTM attacks may cause sensitive information to be stolen.
For US-CERT’s report, see https://www.us-cert.gov/ncas/alerts/TA17-075A.
For a list of possibly affected sites, see https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html.
ACA Aponix Guidance
ACA Aponix suggests following the guidelines provided by US-CERT:
- If you use HTTPS inspection products, verify that they are performing correct TLS certificate validation and are providing warning or error messages to users.
- To perform HTTPS inspection without client warnings, administrators must install trusted certificates on client devices.These certificates must be protected to avoid man-in-the-middle attacks.
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org