iTnews

Security products endanger customers through poor TLS interception

By Juha Saarinen on Feb 8, 2017 12:15PM
Security products endanger customers through poor TLS interception

Introduce Logjam, POODLE, CRIME and other vulnerabilities.

Popular security products such as anti-viruses and middleboxes put customers at risk through poor transport layer security (TLS) interception implementations, researchers have found.

A group of researchers from United States universities as well as tech companies Google, Mozilla, and Cloudflare tested middleboxes - which act as network proxies for traffic analysis and content filtering - from A10, Blue Coat, Barracuda, CheckPoint, Cisco, Fortinet, Juniper, Microsoft, Sophos, Untangle, and WebTitan.

All but the BlueCoat device weakened connection security and introduced TLS vulnerabilities such as Logjam, weak export and RC4 ciphers, or didn't validate digital certificates properly.

The researchers also tested [pdf] 29 anti-viruses, and found 13 would intercept TLS connections. Only Avast versions 10 and 11 for Windows did not reduce TLS connection security.

Avast 11.7 for macOS, however, advertised support for the insecure and deprecated data encryption standard (DES) encryption, earning a F score by the researchers for being severely broken.

Interception of TLS connections involves security products injecting their own certificates in web browsers or devices in organisation networks.

This alllows them to terminate TLS connections, decrypt the traffic so as to look for malicious or disallowed content, and then re-initiate the TLS connection after analysis is complete.

Such interception is increasingly prevalent, the researchers said, meaning the security community is working at cross purposes - the attempts to detect and block harmful traffic dramatically reduces connection security, the researchers said.

"Many of the vulnerabilities we find in anti-virus products and corporate middleboxes — such as failing to validate certificates and advertising broken ciphers — are negligent and another data point in a worrying trend of security products worsening security rather than improving it," they wrote.

Compounding the problem, the researchers noted that while it was possible to adjust middlebox settings in many cases to avoid them degrading TLS security, their configuration was "confusing, oftentimes with little or no documentation". 

"We note that the installation process for many of these proxies is convoluted, crash-prone, and at times, non-deterministic," they said.

Testing middleboxes with services such as Qualys SSL Labs, How's My SSL, and Bad SSL is a must for administrators, the researchers said.

There is no good reason for anti-virus vendors to intercept TLS since their software operates locally and already has access to the file system, browser memory, and any content loaded over HTTPS, they claimed.

The researchers disclosed the vulnerabilities in the security products to vendors, but said the reception to the reports varied greatly.

"In many cases, we received no response and in other cases, we were unable to convince manufacturers that TLS vulnerabilities such as Logjam required patching," they wrote.

"One company would not accept our vulnerability report without a product serial number, and several indicated that secure product configuration was a customer responsibility and that they would not be updating their default configuration."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
a10appleaspeskyavastavgbarracudabitdefenderblue coatcheckpointchromeciscocloudflareestfortinetgooglehttpsinterceptioninternet explorerjunipermicrosoftmozillasafarisecuritysophosssltlswebtitan

Partner Content

Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
Don't miss Australia’s premiere IoT Conference on 9th June
Promoted Content Don't miss Australia’s premiere IoT Conference on 9th June
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • 11th Annual Fraud Prevention Summit 2022
  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Feb 8 2017
12:15PM
0 Comments

Related Articles

  • Apple Safari bug reveals users' internet activity and identities
  • Microsoft won't patch Edge XSS vulnerability
  • F5 BIG-IP systems vulnerable to remote takeover
  • Thoma Bravo to buy SailPoint for US$6.1bn
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

Digital Nation

CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.