A recent warning issued by US-CERT has advised that SSL inspection tools may actually do the opposite of what they are intended for; i.e. they might serve to weaken the cyber defenses of healthcare organizations’ rather than strengthen them – by making their computer systems more at risk of man-in-the-middle attacks.
It should be noted that what US-CERT has alleged does not necessarily mean that the SSL inspection tools themselves are the problem, rather that organizations are relying on those solutions alone in deciding which connections are to be trusted and which should not. An organization can leave itself exposed to attack if it places its complete trust in one solution. If that solution proves to be flawed, ineffective or fails to perform comprehensive checks the company or organization could be lest in the dark as to the presence of a problem.
A broad variety of IT security products, such as secure gateways, data loss prevention solutions, firewalls and a litany of security applications now include built-in SSL inspection tools. Although this should be a positive for a user’s cybersecurity, up-to-date research indicates that a number of those solutions have the potential to introduce vulnerabilities. For instance, certain products may permit communication with a bad server prior to the user being alert. Others have failed to conduct comprehensive validation checks, including the incomplete upstream certificate validation.
US-CERT has explained that because the HTTPS inspection product is responsible for managing the ciphers, protocols, and certificate chain, the product must carry out the obligatory HTTPS validations. Any lapse in the performance of the validation or to adequately relay the validation status raises the likelihood that the user may become a victim of MiTM attacks by criminals.
It is recommended that the use of SSL inspection tools be considered at length. Organizations should weigh up the pros and cons of their use of the tools. Being alert as to the limits of a product’s usefulness, and the risks of its use, are clearly very important.
US_CERT advises any organization which opts to employ SSL inspection tools to verify that the said tools are correctly validating certificate chains and that any warnings of insecure connections are being delivered to the client. It is suggested that a way to confirm that SSL inspection tools are performing correctly is to verify them against Badssl.com.
US-CERT stated that in the event that any of the tests in the Certificate section of badssl.com prohibit a client with direct Internet access from connecting, the same clients should also refuse the connection when they are connected to the web by means of an HTTPS inspection product.