back to article TLS proxies: Insecure by design, say boffins

Have you ever suspected filters that decrypt traffic of being insecure? Canadian boffins agree with you, and have said that TLS proxies – commonly deployed in both business and home networks for traffic inspection – open up cans of worms. “Not a single TLS proxy implementation is secure with respect to all of our tests, …

  1. Hstubbe
    Facepalm

    Man in the middle for your security....

    I wonder how zscaler holds up. It is a central proxy (i even believe it runs in the cloud) that hijacks tls connections, replaces the cert with its own certificate and then uses tls 1.0 to the browser. Ugh, why do corporate idiots like this so much?

    1. Sebby

      Re: Man in the middle for your security....

      Why? Because they're corporate idiots, of course. They don't care about your personal security, only their corporate (i.e. financial) security.

      Concur with El Reg: I can't wait to hear just how utterly braindead these corporate MITM solutions are. The only use for SSL/TLS inspection is protocol debugging; everything else is sacrosanct.

      1. Anonymous Coward
        Anonymous Coward

        Re: Man in the middle for your security....

        "The only use for SSL/TLS inspection is protocol debugging; everything else is sacrosanct."

        Er no. The corporate owns the assets and the data so they have a right to assess encrypted pipes for the presence of bad stuff coming in and good stuff going out. What they don't own is the external internet service that is being accessed, so little or no visibility into what's transiting to and from that service without 1) monitoring it on the endpoint or 2) busting encryption open with MITM.

        You know that personal phablet thing in your pocket/bag - try using that for teh pr0n, banking, booking appointments at the VD clinic and let the infosec guys get on with trying to keep the lights on and the data where it belongs.

        However poor crypto implementations whether they're on the client, server or part of a MITM approach are inexcusable (the point of the research paper).

        1. Hstubbe

          Re: Man in the middle for your security....

          I actually only use the corporate network for work related things. Weird as i am, i care about protecting silly stuff like business intelligence. But with zscaler, the it guys are actively sabotaging proper protection of sensitive data. They are not keeping the lights on and all that, they are just being lazy.

      2. Sir Sham Cad

        Re: The only use for SSL/TLS inspection

        There are a couple I can think of off the top of my head and I fully admit number 2 is essentially a bodge job.

        1) I can see what sensitive corporate data such as, I dunno, customer database Employee X has uploaded to their HotGmahoo! webmail account and sent to Competitor Y. If I can inspect it I can block it/flag it/report on it. Likewise any other https sites that would otherwise not be visible to corporate web security platforms.

        2) PC cert compliance. In a large corporate environment with mixed PC assets in various states of OS/browser version/patch level non-compliance you'll find machines that don't know about a lot of Trusted Root (or intermediary) CAs and supporting that is an utter nightmare, you can't go round several thousand PCs individually installing one or some, to be determined once they can't access a certain site, root certs. What you can do is push out ONE cert, the trusted corporate root CA cert, and stick one signed by that on the SSL/TLS proxy. All PCs now trust the proxy cert and the proxy can decide if the upstream web server cert is valid and allow/block accordingly.

        1. storner
          Facepalm

          Re: The only use for SSL/TLS inspection

          "1) I can see what sensitive corporate data such as, I dunno, customer database Employee X has uploaded to their HotGmahoo! webmail account and sent to Competitor Y."

          Sure, that's what Employee X would do. Copying it to a USB stick and bring it home? Nah ... no way.

          1. Cynic_999

            Re: The only use for SSL/TLS inspection

            "

            Sure, that's what Employee X would do. Copying it to a USB stick and bring it home? Nah ... no way.

            "

            How would they do that if their company PC does not have any exposed USB ports?

    2. Preston Munchensonton

      Re: Man in the middle for your security....

      Ugh, why do corporate idiots like this so much?

      It's called Regulatory Compliance.

    3. Anonymous Coward
      Anonymous Coward

      Re: Man in the middle for your security....

      Zscaler is going to be just as vulnerable in its own way. Security through obscurity has always been a dangerous gambit. The main reason none of these solutions is open source is the same reason national security estimates are kept classified: their flaws would be undeniably obvious and make it impossible for anyone to sign off on them -- resulting in the death of yet another cash cow. Systems configured to use Zscaler or other proxies like it should never be trusted for any purpose. Period.

  2. an it guy

    Some proxies are very useful

    I don't work for Charles Proxy, but it's very useful as a local proxy. I'd wish they'd tested this as I'd be curious to know their opinion about this

  3. Anonymous Coward
    Anonymous Coward

    Sounds like...

    Some poor soul is being blocked by an El Reg proxy?

    "The Register keenly hopes de Carnavalet and Mannan get the chance to repeat their tests against corporate proxies, and will keep some popcorn for just such an event."

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds like...

      No need for El Reg - they don't use SSL

  4. Aodhhan

    Old News

    TOR, anonymizers, proxies of all kinds. This has been suspected before and confirmed when Voldemort (He who must not be named.. i.e. Snowden) became famous.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like