Can we stop intercepting user traffic (aka Man-in-the-Middle) please?

first… clarifying scope

This post focuses on the interception / Man-in-the-Middle (MiTM) of end-user web traffic on a corporate device/network (i.e.: Janice Bloggs on a work laptop using Chrome to get to Facebook) where MiTM is overt.

What many of us are doing right now

Whatever you’re doing now can be chalked up to ‘it is what it is’ — hopefully you’re looking forward to iterate your network and better serve your users.

Installing our own Root Certificate Authority (CA)

For simplicity lets assume an operating system’s Root CA database is well curated.

Enforcing a web proxy

Whether authenticated or not, using a proxy auto-config (PAC) file or not or just plain Group Policy Object (GPO) you’re instructing (or forcefully capturing) web traffic and directing it to a proxy of some kind.

Breaking the HTTPS connection

This is the actual MiTM — your proxy is terminating the HTTPS connection itself by issuing a certificate impersonating the destination IP/domain the user is trying to reach and therefore seeing all of the traffic.

Blocking websites based on categories

As you’re ‘in the middle’, you’ve configured your proxy to match intended destinations against category lists, and subject to policy show the user different content (for example, a policy violation page).

Logging

From ‘the middle’, you can see full URL paths being visited, so you might be logging all of that.

Monitoring/Alerting

Its possible you’re monitoring for policy violations and then alerting on those so your IT teams can tell your People Team (HR) how naughty someone is being.

[Fake] Data Leak Protection (DLP)

From ‘the middle’, in theory you can see where files are being exchanged and you may be choosing to block such — for example, not allowing .exe files to be downloaded or .zip files to be uploaded.

Breaking things

By enforcing an inspecting proxy, you might be stopping some destinations from working because it isn’t actually HTTPS traffic or because they don’t tolerate MiTM.

Hiding things

The re-signing using internal CA/PKI structures means the browser (and therefore user) are not seeing the original intended CA information and path, they will see the internal CA/PKI information.

Downgrading security

Many MiTM capable ‘Unified Threat Management’ or ‘Next-Generation Firewall’ looking systems are stuck on older versions of TLS (usually v1.0) which may offer less security than if the end-user browser connecting to the destination had negotiated better versions, better cipher suites etc.

Maintaining a cumbersome whitelist

You may have a list of things you need to bypass inspection on to keep them working, or a list of categories (hopefully) that you won’t inspect because you are breaching privacy (for example, online banking).

Caching

A proxy caching assets can be useful to speed up user experience and save network bandwidth. You could also be making their experience much worse and just creating more work for yourself.

Pretending to manage risk & keeping your Chief Information Security Officer (CISO) / Senior Information Risk Owner (SIRO) happy

Knowing more doesn’t mean you’re doing more to stop bad things from happening.

What we could be doing

Taking a step back and understanding that security includes users (your best, not worst, defence) and good security requires depth.

Pay attention to our end-user devices

Given the main purpose of intercepting end-user web traffic is usually to defend against malware… increase your defence where that malware operates.

Filtering based on Domain Name System (DNS) results

If you’re in the UK public sector the National Cyber Security Centre (NCSC, a part of GCHQ) have a free DNS filtration service you can enrol your organisation onto. This doesn’t provide organisational policy enforcement (block adult material etc) but focuses on stopping devices from reaching known bad malware sites.

Getting email security right

Above and beyond a robust externally facing email configuration nip malware (and SPAM) before it gets to your users and devices.

Filtering based on Server Name Indication (SNI)

Putting Transport Layer Security (TLS) v1.3 to the side for the moment:

Improving your monitoring

Once your device management systems are configured to ensure end-user devices run modern and up to date software, you should monitor that this is actually true.

If you truly need to (hint: most of you won’t) invest in true DLP

I’ll discuss DLP another time, but in short, using a technical step like MiTM to detect malicious data exfiltration means you’ve probably already lost your data.

Getting ready for TLS v1.3

NCSC’s Chief Technology Officer blogged about TLS v1.3 in March 2018 and it is a good read to get you thinking about the enterprise side of things.

Quickly commenting on the out of scope

Intercepting system-system traffic is a different matter and if you are doing so in order to defend against lateral movement and understand/enforce traffic between different areas of trust (etc) you should probably continue to do so.

  • the destination domain has a functional but misconfigured interface (certificates are passed on the wrong order) and your interception fixes this because the client can no longer see this (on the flip side, your interception might be picky about RFC compliance, so instead punishes the user by throwing up an error where their browser directly communicating with the destination domain would have been more tolerant of minor RFC misalignment)
  • your client is designed to check for a specific intermediate CA or certificate but your intercepting proxy will issue its own, therefore the connection fails or has a higher trust than it should

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store