An academic study published shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don’t irrevocably break TLS encryption for the end user. Craig Young, Security Rresearcher at Tripwire commented below.
Craig Young, Security Researcher at Tripwire:
“TLS middle boxes were introduced to improve the performance and security of HTTPS connections but in an ironic twist of fate, more often than not, these systems are the weakest link in an otherwise secure chain.
One of the main problems is that many vendors in this space run their own custom TLS stacks rather than relying on well tested systems like OpenSSL or Microsoft’s SChannel. This custom code means that vendors have to invest considerable resources to keep their implementations up to date with the latest protocols, ciphers, and attack countermeasures. As it turns out, a proper and secure TLS/HTTPS implementation is non-trivial and most vendors do not have the resources to get it perfect resulting in industry-wide implementation failures like POODLE TLS and Return of Bleichenbacher’s Oracle Threat (ROBOT). ROBOT is a really great example of this as our research led to 16 different vulnerability advisories across more than a dozen vendors and the underlying vulnerability is something which was first described nearly 20 years earlier.
Beyond security concerns, these middle boxes are also standing in the way of progress as the push toward perfect secrecy and strong encryption has been in conflict with these middle boxes deployed around the world. The only way TLSv1.3 was able to get out the door was by first manipulating the standards to look more like older protocols for the explicit reason of preventing HTTPS middle boxes from preventing access to TLSv1.3 enabled sites.
