SSL inspection tools are commonly used by healthcare providers to improve security; however, according to a recent warning issued by US-CERT, SSL inspection tools may actually weaken organizations’ defenses and make them more susceptible to man-in-the-middle attacks.
It is not necessarily the SSL inspection tools that are the problem, more that organizations are relying on those solutions to advise them which connections can be trusted and which cannot. If the solution is 100% trusted and it is ineffective or is not performing thorough or complete checks, an organization could be left exposed to attacks and they would be unaware that there is a problem.
SSL inspection tools are now included in a wide range of cybersecurity products, including secure gateways, firewalls, data loss prevention solutions and a host of security applications. However, recent research suggests that many of those solutions are potentially introducing vulnerabilities. For example, some products will allow communication with a bad server before the client is warned and others have been discovered to not conduct complete validation checks, including incomplete validation of upstream certificates.
US-CERT explains the significance of the research saying “Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.”
US-CERT recommends the use of SSL inspection tools should be carefully considered and organizations should carefully weigh up the advantages and disadvantages of using those tools. Being aware of the limitations of a product, and the risks that could potentially be introduced, is important.
US_CERT says any organization that chooses to use SSL inspection tools should determine whether those tools are properly validating certificate chains and if warnings of insecure connections are being passed to the client. US-CERT suggests one way to determine whether SSL inspection tools are performing as they should is to check them against Badssl.com.
US-CERT says “if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.”