At the end of January, 2017, Troy Hunt said that “HTTPS adoption has now reached the moment of critical mass where it’s gathering enough momentum that it will very shortly become “the norm” rather than the exception it so frequently was in the past.”
HTTPS Is Increasingly Popular and Alarmingly Intercepted
In other words, HTTPS has continuously been becoming more widespread. Its growth has been followed by the also increasing HTTPS interception and SSL inspection on behalf of enterprise-grade firewalls, web filters, gateways, and the various types of security solutions.
As pointed out by researchers, client-side AV solutions should be able to terminate TLS sessions. This is needed to analyze the inner HTTP plaintext traffic so that threats are identified and content is filtered.
One question arises though and it concerns the safety of the new TLS connections. Several researchers from a number of organizations – US universities, ICSI, Mozilla, Cloudfare and Google, have gathered to work together towards answering that question.
How Was the Research Carried Out?
The researchers found a technique to detect HTTPS interception passively, based on TLS handshake characteristics. Heuristics also were created to allow web servers to detect interception and identify the culprit. Next, the researchers used the heuristics on the Mozilla Firefox update servers, as well as on several well-known e-commerce sites and the Cloudfare content distribution network.
Using these three locations, the researchers were able to assess almost 8 billion connection handshakes, the conclusion being that 5-10% of all connections are intercepted. This is quite a high number, as you might have supposed. The researchers also graded the unmodified browser handshakes and the intercepted connections via a scale based on the particular TLS features of every client. The final stage was calculating the change in security for intercepted connections. The researchers also pointed out that:
While for some older clients, proxies increased connection security, these improvements were modest compared to the vulnerabilities introduced: 97% of Firefox, 32% of e-commerce, and 54% of Cloudflare connections that were intercepted became less secure.
Alarmingly, not only did intercepted connections use weaker cryptographic algorithms, but 10–40% advertised support for known-broken ciphers that would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection. A large number of these severely broken connections were due to network-based middleboxes rather than client-side security software: 62% of middlebox connections were less secure and an astounding 58% had severe vulnerabilities enabling later interception.
For full technical disclosure, have a look at the detailed research paper in PDF.