nsa

The National Security Agency (NSA) has released a Cyber Advisory that addresses managing risk from Transport Layer Security Inspection (TLSI).

The document defines TLSI (a security process that allows incoming traffic to be decrypted, inspected, and re-encrypted), explains some risks and associated challenges, and discusses mitigations.

TLS and its predecessor, Secure Sockets Layer (SSL), are important Internet protocols that encrypt communications over the Internet between the client and server.

These protocols (and protocols that make use of TLS and SSL, such as HTTPS) use certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.

Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers.

Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation.

Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.

A recent report, The Security Impact of HTTPS Interception, highlighted several security concerns with HTTPS inspection products and outlined survey results of these issues. Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack.

Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.

Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client.

Read the alert by CISA, and the NSA advisory.