Decrypting Web Proxies Corporate Compliance or Surveillance State? Commonwealth Telecommunications Organization Cyber Security Forum, 17 June 2010, Ron Williams, Sr. Enterprise Architect, Security and Privacy, IBM Security
In freedom loving countries, surveillance is undertaken with a certain amount of trepidation, and perhaps a certain amount of regret. It has been a tool of intelligence operations since the earliest recorded history. It has been justified as necessary to “national security,” and excoriated as a tool of an oppressive state. Whether or not these characterizations are accurate, one fact is clear. Surveillance of the electronic kind is on the rise in the digital age. Electronic surveillance techniques are increasingly being adopted in commercial enterprise. These include the use of decrypting web proxies to “see into” otherwise encrypted traffic. In the microcosm of the commercial sphere, “Enterprise Security” takes the place of “National Security” and “Corporate Policy” that of “National Interest.” And while there is a long history of debate and conflict surrounding what the role of security in the national interest should be, surveillance as a tool of corporate security, especially electronic surveillance, is a relative newcomer to the stage.
It is a premise of this paper that governments and commercial enterprises alike desire and intend to “do the right thing” with respect to protecting their infrastructures, while upholding the rights of their citizens, employees, and business partners. It seeks to illuminate a small area of encrypted internet communication, and point the way to rational confronting the problems is use may pose
The use of switched network routers in lieu of inherently insecure bridging technologies have significantly reduced internet protocol (IP) attacks based on IP address spoofing.
Intrusion detection and prevention (IPS) techniques and their associated technologies have vastly reduced the threat surface of the organizations that have deployed them.
Research into evolving application threats and application heuristics have resulted in effective techniques to confront SQL Injection, Cross-Site Scripting (XSS), Cross-Site Forgery (CRF), and obfuscated script encoding.
80% of all cyber threats are perpetrated over encrypted protocols. The vast majority of these occur over server-side-only Transport Layer Security (TLS or SSL).
Unless a threat can be detected and countermeasures applied before it reaches sensitive application endpoints - critical applications and their underlying infrastructure remain vulnerable.
Why do users and providers want to enrypt web traffic
Insure privacy of data between user and service by protecting user data, like login credentials, medical information, account numbers, transaction details, content delivered.
Authenticate one or both parties ( server-side-only or mutually authenticated TLS)
Maintain legal privilege
Keep private web activity from employer, family, competitors, government agents, curious teenagers, prying relatives
Protect political speech
Engage in illegal activities
Exercise right to be free from surveillance
“ Why do you want to know?”
Why do enterprises want to decrypt third-party web traffic?
80% of all web attacks perpetrated over TLS (IBM X-Force)
7 of 10 Top Web Security Threats can be directed against browser over TLS (Open Web Application Security Project/OWASP). There is no antivirus protection for an encrypted stream.
Intellectual capital and privacy data alike are increasing being lost electronically. Organizations want to monitor and inspect traffic to mitigate Information Loss (i.e. DLP)
Regulations and corporate policy deamd enforcement of acceptable use policies. Organizations want to inspect traffic on corporate assets and block access to sites deemed as inappropriate to the job (i.e. pornography, criminal and /or terrorist communications, known malware sites, etc.)
TLS Proxy - breaking the protocol
TLS is designed to ensure the integrity of communications between a service provider and its users. Server-side-only TLS provides a an additional mechanism by which the server is authenticated to the user. Inherent in the protocols is the assumption that TLS
provides confidentiality of communication between a user and a service
authenticates the identity of the name or subject of the server to the end user
authenticates the name or subject of the user to the Server (in the case of the use of client side certificates, mutually authenticated TLS)
provides a mechanism whereby tampering of any of the above properties will be detectable
Decryption of TLS by an entity other than the intended endpoints is considered an attack against the protocol, specifically a man-in-the-middle (MITM) attack.
In the case of the enterprise , the deployment of decrypting web proxies have only considered the relationship between the enterprise and its employees, contractors, business partners, those who operation within the sphere of the enterprise and its IT operation. However - there is a third class of participant - the service represented by the server leg of the connection.
It is used to authenticate a subject, in the case of HTTPS the source, company or other organization that “owns” the certificate
Protocols like SSL and TLS that use Digital Certificates include mechanisms to detect tampering with the certificate
Why use protocols based on public key cryptography and Digital Certificates?
They enable the participants (endpoints) to identity and authenticate each other
They provide mechanisms to detect tampering with either the certificate or the protocol being used
They imply “secure” communications.
Who Uses Digital Certificates and the encryption protocols based on them?
Everyone on the internet
Users of Digital Certificates expect that their communications are “tamper resistant”
Banking Example . . .
Server-side-only TLS (What the Server and Browser “See”)
Decrypting Web Proxy (Man-in-the-Middle/MITM)
If TLS are designed to prevent tampering, how can a decrypting web proxy work?
Technical Premise of TLS Proxy
Server-side-only TLS can be read en clar by a third party and effectively proxied without indication to either party if
The the TLS session is divided into two distinct sessions
The third party (proxy) is interposed between the two sessions
The browser (IE, Firefox, Safari, Opera, etc.) can be manipulated to reduce or eliminate indications of tampering to the end user
The proxy can be interposed in the network between the end user and server to which they connect
The browser’s traffic can be routed to the proxy either by
Proxy redirection, or
In-line network capture (transparent proxy
Means by which to make a decrypting proxy work within an Enterprise
Control of Endpoint, Control of Browser - Certificate Forging
Install Special “Root” Certificates in the browser
Re-write (forge) the Subject of the source Certificate into local “Root”
Sign re-written (forged) certificate with local private key
Present forged certificate to browser as real certificate
User notification - Ignore the man behind the curtain
Notify users of TLS proxy use, and to “click through” browser warnings of Certificate mismatch (IP address, DNS address, etc.)
Almost Full Disclosure
Notify Users of TLS Proxy and for what purpose, Information Loss Preverntion, Spyware/Antivirus, Application and Web Browser Threat Mitigation.
None of these address 3rd party rights (those of the provider of the target server) with respect to their expectation of privacy or confidentiality of transactions (Banks, commercial enterprise, government agencies, etc.)
TLS Proxies - the Butcher, the Baker, the Candlestick Maker Parties to TLS
User initiating a connection
Primary subject of communication
intends to interact with service - not third party -
expectation of privacy
Server responding to User
Primary object of communications
intends to interact with user - not third party
expectation of privacy
Third Party Monitor
who deploys decrypting proxy
delploys to protect itself
TLS Proxy supports requirements for third party monitors only, and in effect obviate those of the original participants - user and service, client and server.
TLS are implemented in communications between two parties specifically to ensure the confidentiality and integrity of the communication between them. TLS Proxies are implemented to deliberately supercede the requirements of the primary communicants. This is surveillance in its simplest form.
The deployer (third-party) of an TLS proxy implicitly asserts its rights and privileges over and against those of the party’s whose communication is now under surveillance. And unless it explicitly notifies both parties of its actions.
What of the party that operates the service?
Scenario One - Harold and His Concerns
Harold Saxon is the chief architect of a large commercial engineering firm. His firm produces highly confidential designs for industrial manufacturing facilities across the globe. The plans, designs, and specifications produced by the firm are both strategically and competitively sensitive.
Harold is concerned about unauthorized information leakage and attacks from the Internet to which his firms infrastructure may be vulnerable. He is aware that over 80% of potential web threats are executed over SSL or TLS encrypted sessions. Harold directs his IT organization to deploy decrypting web proxies to monitor and protect his infrastructure against threats targeted at obtaining commercial plans.
Harold’s governance board has implemented an opt-in/implicit block policy. This means that if one of the firm’s employees does not consent to their encrypted traffic being monitored, then the firm blocks access to those sites. In this way the firm’s objectives are achieved, with full knowledge and consent of the users who are the firms employees.
Scenario Two - Donna and Her Concerns
Donna Noble is the general manager for wealth management for an elite bank in Suffolk. She and her staff are responsible for the web applications, secured by TLS, by which the bank’s customers pay bills, check on account balances and deposits, and initiate fund transfers, and manage their investment portfolio.
Donna is concerned about the integrity of the communications between her customers and the bank. She has directed the deployment of TLS on all applications for her customers. She is unaware of the potential deployment by her customers’ employers of technology that would enable them to observe all aspects of her customers’ transactions who are also their employees.
If Donna knew that the communications between the bank and her customer’s were being monitored, and potentially captured or altered, would she care? If her customer approved of the communication being monitored, would that be sufficient for the bank?
Scenario Three - Martha and Her Concerns
Martha Jones represents the ministry of cyber security in prosperous Ubuntu, Northwest Africa. When agencies of his government suffer security breaches, Nelson deploys field staff to assess the situation, perform tests including penetration scans and other tools of vulnerability assessment, develop reports, and send them via an Web Application secured via TLS. They may actually log in to your site from anywhere on the internet.
Martha operates a fast information gathering operation when her team goes into action. Because of the sensitivity of the information they gather - all transmission between here field staff and her office are encrypted over TLS. Furthermore, because Martha understands the implications of decrypting web proxies, she deploys digital certificate based technology on all of her field applications to assure both the source and integrity of the information her staff collect and transmit.
When Worlds Collide - conflict of objectives
Whereas Donna Noble has an expectation that TLS will provide the communications between her customers and the bank with a secure channel, she doesn’t not expect anyone, the government, her customer’s employer’s, or her customer’s neighborhood cyber café to be able to “snoop” on them.
Harold Saxon has suffered the online theft of documents critical to his and his customer’s business. This was due to a trojan, downloaded over TLS, by one of his employees while on a social networking site. The resulting damage to his firms reputation, and the increased insurance costs due to a large settlement to his former customer, have made lead him to purchase both anti-virus, intrusion prevention, and information loss protection technology along with and TLS proxy. He hopes together these will enable him to identify threats transmitted to his employees, and identify and block them or their actions before another breach is successful.
What are the implications to Donna Noble’s bank? How does the risk profile of he customers’ transactions change in the face potential online snooping by her customers’ employers? What are the risks that customers’ login credentials will be used fraudulently in the future? What Can Donna do to mitigate against downstream TLS proxy use - to block it and its effects to her business?
For Information Servers: Obviating downstream TLS Proxies
The techniques described work only for server-side TLS, where the server only is authenticated to the client. They do not work in mutually authenticated TLS, where the server authenticates to the client, and vice versa. Attempts to proxy mutually authenticated TLS sessions will fail on the server side - thus protecting the integrity of communications between client and server.
Some institutions deploy technology in their user facing servers that is intended to detect downstream proxy insertion, but requires the user to interact with the server to “approve” the new configuration. In the case of a fully transparent TLS proxy deployment, the user may wonder why they’re being asked to (re-)configure a session with their bank - but absent other clear indicators or disclosure - they are likely to do so without another thought.
If the decrypting proxy is open about its function - it should use standard HTTP proxy headers, inserted into the HTTP stream to announce its use. At least in this case it couldn’t be accused of deliberately hiding its operation from upstream servers. This only works for “honest” proxies - those with nothing to hide.
The use of TLS proxies
breaks three properties of TLS sessions
fundamentally changes the trust model of communication between parties
introduces a new actor , the third party proxy - which has full ability to ready, modify, and retain information transmitted in both directions
and its operations are largely hidden from the server side, and can be largely minimized if not completely made invisible to web clients.
In so doing each of these - it changes the fundamental assumptions of both clients and servers.
The use of TLS proxies is seen as an effective means to address and bring to light web-based threats which operate today concealed in TLS traffic.
It provides a means to monitor and potentially block these threats in the network, at points of major traffic aggregation, rather than on each individual endpoint.
It can enable the use of widely available third-party anti-malware, information loss protection, and intrusion prevention technologies, plugged into the proxy.
It can enable the elimination of up to five times the number of threats seen today over un-encrypted traffic.
The legal and ethical implications of the use of TLS proxies in business today are largely untested in some jurisdictions.
Adopters of decryption technology need to be aware of any business risk attendant to the technology’s use and with respect to
their employees, and
those with whom their employees communicate, banks, social networks, business partners, personal banks
It is probably worth considering the implications of proxying certain kinds of communications like on-line banking, in order to understand any potential liability that may arise.
Full disclosure to end users that decrypting web proxies are in use is recommended in all cases
Notification alone may in some cases may be inadequate to fulfill local legal requirements. In these cases a user’s explicit approval may be required.
The author is unaware of any legal cases concerning the commercial forgery of TLS certificates for any reason. Commercial software that performs in-line certificate forgery is generally available and discussed on the web today.
Vendors of TLS proxies should, at minimum, enable by default HTTP Proxy Headers in order to notify upstream servers that there are in use.
Except in the case of legally authorized criminal surveillance, disclose fully and widely to all parties that TLS proxies are in use.
Provide simple mechanisms to disable proxy use to particular sites (on-line banking)
Provide opt-in policies to ordinary users.
Consider achieving protection goals through blocking of TLS transmission where user chooses not to permit decryption.
Consider the risk impact to the organizations with whom your employees communicate. - and their expectations of privacy.
Consult with your organization’s legal counsel before deploying decryption technology
For further exploration and reference
IBM X-Force® threat and trend reports: http://www-935.ibm.com/services/us/iss/xforce/trendreports/
Open Web Application Security Project (OWASP) Top 10 Vulnerability Project: http://www.owasp.org/index.php/OWASP_Top_Ten_Project