Monsters in the Middleboxes: Building Tools for Detecting HTTPS Interception

Black Hat USA 2019

Presented by: Gabriele Fisher, Luke Valenta
Date: Wednesday August 07, 2019
Time: 10:30 - 10:55
Location: South Seas CDF

The practice of HTTPS interception continues to be commonplace on the Internet. In a basic HTTPS connection, a browser (client) establishes a TLS connection directly to an origin server to send requests and download content. However, many connections on the Internet are not directly from a browser to the server serving the website, but instead traverse through some type of proxy or middlebox (a "monster-in-the-middle" or MITM). There are many reasons for a MITM to exist on a connection, both malicious and benign.

Past research has shown that HTTPS interception is prevalent on the Internet and that it often degrades the security of Internet connections. A server that refuses to negotiate weak cryptographic parameters should be safe from many of the risks of degraded connection security, but there are plenty of reasons why a server operator may want to know if HTTPS traffic from its clients has been intercepted.

First, detecting HTTPS interception can help a server to identify suspicious or potentially vulnerable clients connecting to its network. A server can use this knowledge to notify legitimate users that their connection security might be degraded or compromised. HTTPS interception also increases the attack surface area of requests between intercepted clients and servers, and presents an attractive target for attackers to violate the integrity and confidentiality of data between these two parties.

Second, the presence of content inspection systems can not only weaken the security of TLS connections, but it can hinder the adoption of new innovations and improvements to TLS. Users connecting through TLS-terminating middleboxes may have connections downgraded to older versions of TLS still supported by the middleboxes; and therefore, may not receive the security, privacy, and performance benefits of new TLS versions. This can happen even if newer versions are supported by both the browser and server.

In this talk, we will provide an overview of the various forms of HTTPS interception, the development of an open-source HTTPS interception detection tool, along with the insights we observed and want to share with the security community. (Check out the tool at: https://github.com/cloudflare/mitmengine).

Luke Valenta

Luke Valenta is a Systems Engineer on the Cryptography team at Cloudflare. He recently received his PhD in Computer Science from the University of Pennsylvania where he was advised by Nadia Heninger. Luke is broadly interested in computer security, applied cryptography, privacy, and distributed systems.

Gabriele Fisher

Gabbi Fisher is a Systems Engineer at Cloudflare, where she works at the intersection of practical systems implementation and security and cryptography research. She offsets spending so much time in front of a computer by going on long-distance hiking trips (most recently, the Washington section of the Pacific Crest Trail).


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats