NSA warns enterprises over TLS traffic inspection risks: do it once, and do it well

The US National Security Agency (NSA) has published a new advisory alerting enterprises to their responsibilities if they use tools to decrypt encrypted web traffic, inspect its contents for malware and then re-encrypting the traffic. 

The US spy agency’s advisory explains how Transport Layer Security (TLS) Inspection works, why it’s used, and some of the main risks involved in using traffic inspection on proxy devices like firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

TLS is the cryptographic protocol that protects communications over the internet and computer networks. It’s also the key protocol that enables secure HTTPS communications between browsers and websites. But that protection can get complicated by devices that inspect TLS traffic passing through an enterprise network and servers beyond it.   

The NSA suggests enterprises that deploy TLS inspection technologies should use it responsibly, opening the advisory with the line “with great power…” comes great responsibility. 

The main gist of the document is that the risks of TLS inspection are “not inconsequential” but do have mitigations. 

NSA has some advice about the design and location of the “forward proxy” that intercepts requests from devices inside a network and forwards those request to servers on external networks or near the network boundary.

“A forward proxy that forwards decrypted traffic to external inspection devices could misroute the traffic and result in exposing sensitive traffic to unauthorized or weakly protected networks,” it cautions. 

It recommends deploying firewall and monitoring network traffic flow on all network interfaces to the forward proxy to avoid potential attacks. It also recommends monitoring logs to ensure the system hasn’t been tampered with. 

The NSA also warns of the risks regarding the potential for an attacker to downgrade TLS protections to less secure versions of a cryptographic cipher, which can happen when the proxy device becomes a middle man between an external server and a client, such as a browser. 

Read more: Stalker risk: Kids $30 smartwatch exposes exact location data of 5,000 users

Researchers from Cloudflare and Google in 2017 highlighted the problem of TLS interception products weakening the encryption used to secure communications. The researchers found that up to 10% of the web’s HTTPS traffic is intercepted. While not always malicious, it could still reduce the security of a user’s communications.       

The research drew attention to popular security products that did weaken encryption through the process of intercepting encrypted traffic and then forwarding it with protection by outdated encryption. 

“TLS security settings, including version, cipher suites, and certificates, should be properly configured to prevent TLS downgrade. Disable weak TLS versions and cipher suites on the server-side. Prevent clients from forcing the usage of weak TLS versions and cipher suites,” NSA advised. 

“For enterprises that have clients with outdated technologies that require weak TLS versions and cipher suites, such as outdated browsers, constrain the usage of the weaker TLS security parameters so the proxy negotiates them only for exempted clients. Some TLSI vendor solutions may have features that allow weaker TLS versions and cipher suites by exception only.”

The agency also had a warning about the abuse of certificate authority (CA) embedded in the TLS interception forward proxy because TLS clients are configured to trust the CA. 

“Abuse of a trusted CA can allow an adversary to sign malicious code to bypass host IDS/IPSs or to deploy malicious services that impersonate legitimate enterprise services to the hosts,” NSA notes. 

The agency says the embedded CA “must be protected from abuse” and fixes need to be available if it does happen. 

“Issue the embedded CA’s signing certificate from an external CA trusted only for TLS inspection purposes. Do not use default or self-signed certificates. Monitor enterprise traffic for unexpected and unauthorized certificates  issued by the embedded CA.”

Admins need to be able to revoke cached certificates and any unauthorized certificates and even the embedded CA’s signing certificate itself if necessary. 

Another risk of TLS inspection is that an attacker can target a single device with the knowledge that sensitive traffic has been decrypted. 

TLS inspection also creates an insider threat opportunity, allowing rogue employees or contractors to capture credentials and other sensitive data in its decrypted state. 

NSA’s final advice is to only do the decryption and re-encryption process once, and do it well. 

“To minimize the risks described above, breaking and inspecting TLS traffic should only be conducted once within the enterprise network. Redundant TLSI, wherein a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same, should not be performed. Inspecting multiple times can greatly complicate diagnosing network issues with TLS traffic.” 

Tags GooglensaCloudFlareTLSHTTPSencryption

Show Comments