Monsters in the Middleboxes: Building Tools for Detecting HTTPS Interception

The practice of HTTPS interception continues to be commonplace on the Internet. In a basic HTTPS connection, a browser (client) establishes a TLS connection directly to an origin server to send requests and download content. However, many connections on the Internet are not directly from a browser to the server serving the website, but instead traverse through some type of proxy or middlebox (a "monster-in-the-middle" or MITM). There are many reasons for a MITM to exist on a connection, both malicious and benign.

Past research has shown that HTTPS interception is prevalent on the Internet and that it often degrades the security of Internet connections. A server that refuses to negotiate weak cryptographic parameters should be safe from many of the risks of degraded connection security, but there are plenty of reasons why a server operator may want to know if HTTPS traffic from its clients has been intercepted.

First, detecting HTTPS interception can help a server to identify suspicious or potentially vulnerable clients connecting to its network. A server can use this knowledge to notify legitimate users that their connection security might be degraded or compromised. HTTPS interception also increases the attack surface area of requests between intercepted clients and servers, and presents an attractive target for attackers to violate the integrity and confidentiality of data between these two parties.

Second, the presence of content inspection systems can not only weaken the security of TLS connections, but it can hinder the adoption of new innovations and improvements to TLS. Users connecting through TLS-terminating middleboxes may have connections downgraded to older versions of TLS still supported by the middleboxes; and therefore, may not receive the security, privacy, and performance benefits of new TLS versions. This can happen even if newer versions are supported by both the browser and server.

In this talk, we will provide an overview of the various forms of HTTPS interception, the development of an open-source HTTPS interception detection tool, along with the insights we observed and want to share with the security community. (Check out the tool at: https://github.com/cloudflare/mitmengine).

Presented by