The United States Computer Emergency Readiness Team (US-CERT) has issued a security advisory on the ability of HTTPS interception to weaken TLS security.

US-CERT urged organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement to ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation.

Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide, warned US-CERT.

TLS and its predecessor, Secure Sockets Layer (SSL), are important Internet protocols that encrypt communications over the Internet between the client and server. These protocols (and protocols that make use of TLS and SSL, such as HTTPS) use certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.

Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a Man-in-the-middle (MiTM) attack.

In addition, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server.

Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.

The solution, according to US-CERT, is for organizations using HTTPS inspection products to verify that their product properly validates certificate chains and passes any warnings or errors to the client. Organizations considering the use of HTTPS inspection should also carefully consider the pros and cons of such products before implementing.