Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Middleware Still Can't Handle TLS Without Breaking Encryption (zdnet.com)

Posted by msmash on from the closer-look dept.

An academic study published last month shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don't irrevocably break TLS encryption for the end user. From a report: Encrypted traffic inspection devices (also known as middleware), either special hardware or sophisticated software, have been used in enterprise networks for more than two decades. System administrators deploy such appliances to create a man-in-the-middle TLS proxy that can look inside HTTPS encrypted traffic, to scan for malware or phishing links or to comply with law enforcement or national security requirements.

[...] In the last decade, security researchers have looked closely at the issue of TLS inspection appliances that break or downgrade encryption. There has been much research on the topic, from research teams from all over the world. But despite years worth of warnings and research, some vendors still fail at keeping the proper security level of a TLS connection when relaying traffic through their equipment/software. Academic research [PDF] published at the end of September by three researchers from Concordia University in Montreal, Canada, shows that network traffic inspection appliances still break TLS security, even today.

3 of 101 comments (clear)

  1. New definition for middleware? by Nkwe · · Score: 4, Informative

    Encrypted traffic inspection devices (also known as middleware)

    Really? I don't think I have ever heard of middleware used in that context. I have always thought of middleware as a software layer that abstracts something between applications. It seems weird to refer to a hardware device as "middleware".

    1. Re:New definition for middleware? by mysidia · · Score: 4, Informative

      I think whoever wrote or proofread the ZDNet article Introduced mistakes, here.

      The phrases "TLS Middleware", "TLS middleware appliances," and "Middleware appliances" appear throughout the article Slashdot linked, BUT
      the paper does not use the word even once. They are called Middleboxes in the study.

  2. More ways to screw it up is worse by raymorris · · Score: 1, Informative

    If you're talking directly to the origin server, you're trusting
    a) the public certificate authority.

    If you're talking to a proxy, which then talks to the origin server, you're trusting:

    a) Your local admins not only set up the proxy securely, but have kept updating the configuration every few months to stay up with the latest attacks.

    b) The proxy vendor got it right, and keeps it updated.

    c) the proxy server (which has the unecrypted data) hasn't been compromised

    d) the certificate authority

    The proxy is strictly weaker, in an absolute sense, because it requires trusting the certificate authority PLUS trusting the local admins get it right and keep it right, PLUS trusting the vendor of the proxy. You have to trust the same original CA plus two more groups of people, plus trust that the proxy server itself is insecure, that the server OS etc hasn't been exploited.

    Therefore the proxy is more dangerous in an absolute, mathematical sense. It's not even debatable because adding more ways to fail *always* makes it weaker.