The National Security Agency (NSA) published an advisory that addresses the risks behind Transport Layer Security Inspection (TLSI) and provides mitigation measures for weakened security in organizations that use TLSI products.

TLSI (aka TLS break and inspect) is the process through which enterprises can inspect encrypted traffic with the help of a dedicated product such as a proxy device, a firewall, intrusion detection or prevention systems (IDS/IPS) that can decrypt and re-encrypt traffic encrypted with TLS.

While some enterprises use this technique for monitoring potential threats such as data exfiltration, active command and control (C2) communication channels, or malware delivery via encrypted traffic, this will also introduce risks.

Enterprise TLSI products that don't properly validate transport layer security (TLS) certificates, for instance, will weaken the end-to-end protection provided by the TLS encryption to the end-users, drastically increasing the likelihood that threat actors will target them in man-in-the-middle attack (MiTMP) attacks.

Forward proxies misbehaving

The use of a not properly functioning forward proxy with TLSI capabilities can lead to unexpected consequences such as rerouting decrypted network traffic to an external network, traffic that can be intercepted by third party inspection devices that can get unauthorized access to sensitive data.

"Deploying firewalls and monitoring network traffic flow on all network interfaces to the forward proxy helps protect a TLSI implementation from potential exploits," the NSA says.

"Implementing analytics on the logs helps ensure the system is operating as expected. Both also help detect intentional and unintentional abuse by security administrators as well as misrouted traffic."

When it's essential to use a TLSI product, the NSA recommends independently validated products that can properly implement data flow, TLS, and CA functions.

Moreover, products validated by the National Information Assurance Partnership (NIAP) "and configured according to the vendor’s instructions used during validation" should meet the requirements.

TLS sessions and CAs

Since TLSI will take place in real-time and, to work, TLSI products have to manage two separate TLS connections, this could and will, in most cases, lead to TLS chaining issues that cause TLS protection downgrade problems, eventually leading to potential exploitation of weaker cipher suites and TLS versions.

TLSI forward proxy devices also come with a built-in certification authority (CA) function used for creating and signing new certificates, an embedded and trusted CA that could be used by bad actors "to sign malicious code to bypass host IDS/IPSs or to deploy malicious services that impersonate legitimate enterprise services to the hosts" upon a successful attack.

Attackers could also directly exploit the TLSI devices where the traffic is decrypted thus gaining access to plaintext traffic, while an insider threat such as an authorized security admin "could abuse their access to capture passwords or other sensitive data visible in the decrypted traffic."

"To minimize the risks described above, breaking and inspecting TLS traffic should only be conducted once within the enterprise network," the NSA advisory adds.

"Redundant TLSI, wherein a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same, should not be performed."

TLSI risk mitigation measures

More measures to mitigate risks stemming from the use of TLSI devices in an enterprise network are provided by the NSA as part of its security advisory on Managing risk from Transport Layer Security Inspection [PDF].

"The mitigations described above can reduce the risks introduced by a TLSI capability, provide indicators that alert administrators if the TLSI implementation may have been exploited, and minimize unintended blocking of legitimate network activity," the NSA adds.

"In this way, security administrators can successfully add TLSI to their arsenal and continue to step up their methods to combat today’s adversaries and TTPs."

The Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert on risks associated with HTTPS inspection in March 2017, stating that "in general, organizations considering the use of HTTPS inspection should carefully consider the pros and cons of such products before implementing."

"Organizations should also take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A" on securing end-to-end communications CISA says.

A list of potentially affected software used for TLSI compiled by CERT/CC vulnerability analyst Will Dormann is available here while a simple tool for checking if a TLSI product is correctly verifying certificate chains can be found at badssl.com.