Network Middleware Still Can't Handle TLS Without Breaking Encryption

An academic study published last month shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don't irrevocably break TLS encryption for the end user. From a report: Encrypted traffic inspection devices (also known as middleware), either special hardware or sophisticated software, have been used in enterprise networks for more than two decades. System administrators deploy such appliances to create a man-in-the-middle TLS proxy that can look inside HTTPS encrypted traffic, to scan for malware or phishing links or to comply with law enforcement or national security requirements.

[...] In the last decade, security researchers have looked closely at the issue of TLS inspection appliances that break or downgrade encryption. There has been much research on the topic, from research teams from all over the world. But despite years worth of warnings and research, some vendors still fail at keeping the proper security level of a TLS connection when relaying traffic through their equipment/software. Academic research [PDF] published at the end of September by three researchers from Concordia University in Montreal, Canada, shows that network traffic inspection appliances still break TLS security, even today.

unless its end to end, its going to break

Having a MITM on purpose is breaking things by design.

The end user needs to verify that the site they're talking to is the real one, by checking the certificate, but all they get is this stupid cert that was automatically generated by some stupid appliance. No way for the end user to ever know if they've gotten the right website or not.

Good luck if the appliance itself actually checks for cert validity or not.

In short, TLS is working as designed.

Re:unless its end to end, its going to break

[greenwow]

> What is broken if the user trusts a middlebox?

Nothing. This is just hyperbole.

The real question is do you trust cert authorities that have screwed-up in the past or your local IT guys? After we had several employees install malware from what they thought was a safe site since it used HTTPS, we haven't had that happen again after installing a proxy. It's the lesser of two evils.

I think the point of certificates and ...

all that is that you're not supposed to be able to do this. Sounds like it's working as designed.

Re:I think the point of certificates and ...

[sexconker]

Correct. Any other stance is just wrong. If you don't trust a host on your network communicating with the outside, then don't allow that to happen at all. If some things must be allowed, then work on a whitelist.

If you're trying to read encrypted traffic when you are not one of the 2 hosts involved in the encrypted connection, then you are hostile and malevolent - no matter your purported reasoning or intention.

New definition for middleware?

[Nkwe]

Encrypted traffic inspection devices (also known as middleware)

Really? I don't think I have ever heard of middleware used in that context. I have always thought of middleware as a software layer that abstracts something between applications. It seems weird to refer to a hardware device as "middleware".

Re:New definition for middleware?

[fustakrakich]

They probably meant *meddleware*

Re:New definition for middleware?

[mysidia]

I think whoever wrote or proofread the ZDNet article Introduced mistakes, here.

The phrases "TLS Middleware", "TLS middleware appliances," and "Middleware appliances" appear throughout the article Slashdot linked, BUT
the paper does not use the word even once. They are called Middleboxes in the study.

IDIOTS

Preventing man in the middle attacks is the fucking point of TLS. Of course you can't perform a man in the middle attack without breaking TLS you morons.