iTnews

Security products endanger customers through poor TLS interception

By Juha Saarinen, iTnews on Feb 8, 2017 12:15PM
Security products endanger customers through poor TLS interception

Introduce Logjam, POODLE, CRIME and other vulnerabilities.

Popular security products such as anti-viruses and middleboxes put customers at risk through poor transport layer security (TLS) interception implementations, researchers have found.

A group of researchers from United States universities as well as tech companies Google, Mozilla, and Cloudflare tested middleboxes - which act as network proxies for traffic analysis and content filtering - from A10, Blue Coat, Barracuda, CheckPoint, Cisco, Fortinet, Juniper, Microsoft, Sophos, Untangle, and WebTitan.

All but the BlueCoat device weakened connection security and introduced TLS vulnerabilities such as Logjam, weak export and RC4 ciphers, or didn't validate digital certificates properly.

The researchers also tested [pdf] 29 anti-viruses, and found 13 would intercept TLS connections. Only Avast versions 10 and 11 for Windows did not reduce TLS connection security.

Avast 11.7 for macOS, however, advertised support for the insecure and deprecated data encryption standard (DES) encryption, earning a F score by the researchers for being severely broken.

Interception of TLS connections involves security products injecting their own certificates in web browsers or devices in organisation networks.

This alllows them to terminate TLS connections, decrypt the traffic so as to look for malicious or disallowed content, and then re-initiate the TLS connection after analysis is complete.

Such interception is increasingly prevalent, the researchers said, meaning the security community is working at cross purposes - the attempts to detect and block harmful traffic dramatically reduces connection security, the researchers said.

"Many of the vulnerabilities we find in anti-virus products and corporate middleboxes — such as failing to validate certificates and advertising broken ciphers — are negligent and another data point in a worrying trend of security products worsening security rather than improving it," they wrote.

Compounding the problem, the researchers noted that while it was possible to adjust middlebox settings in many cases to avoid them degrading TLS security, their configuration was "confusing, oftentimes with little or no documentation". 

"We note that the installation process for many of these proxies is convoluted, crash-prone, and at times, non-deterministic," they said.

Testing middleboxes with services such as Qualys SSL Labs, How's My SSL, and Bad SSL is a must for administrators, the researchers said.

There is no good reason for anti-virus vendors to intercept TLS since their software operates locally and already has access to the file system, browser memory, and any content loaded over HTTPS, they claimed.

The researchers disclosed the vulnerabilities in the security products to vendors, but said the reception to the reports varied greatly.

"In many cases, we received no response and in other cases, we were unable to convince manufacturers that TLS vulnerabilities such as Logjam required patching," they wrote.

"One company would not accept our vulnerability report without a product serial number, and several indicated that secure product configuration was a customer responsibility and that they would not be updating their default configuration."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
a10 apple aspesky avast avg barracuda bitdefender blue coat checkpoint chrome cisco cloudflare est fortinet google https interception internet explorer juniper microsoft mozilla safari security sophos ssltls webtitan

Partner Content

Beat the DDoS blackmails in 2021
Partner Content Beat the DDoS blackmails in 2021
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
Shut the door on ransomware
Partner Content Shut the door on ransomware
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Juha Saarinen, iTnews
Feb 8 2017
12:15PM
0 Comments

Related Articles

  • Microsoft won't patch Edge XSS vulnerability
  • September ushers in halved TLS cert lifespans
  • Update Chrome or risk remote takeover, US govt warns
  • Apple, GroupM, others ask for tough protection for data in Google lawsuit
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Australia Post is building a digital twin of its delivery network

Australia Post is building a digital twin of its delivery network

Google threatens to withdraw search engine in Australia

Google threatens to withdraw search engine in Australia

Trump pardons former Google self-driving car engineer

Trump pardons former Google self-driving car engineer

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.