Certificate Authority Report Card: Examining the Root of Data Protection on the Web
Jeremy Clark, Assistant Professor
Mohammad Mannan, Assistant Professor
To filter Secure Sockets Layer (SSL)/Transport Layer Security (TLS)-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host's communications. The researchers set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries.
Compared to regular proxies, client-end TLS proxies impose several unique constraints, and must be analyzed for additional attack vectors; e.g., proxies may trust their own root certificates for externally-delivered content and rely on a custom trusted certificate authority store (bypassing operating system and browser stores).
Covering existing and new attack vectors, the researchers designed an integrated framework to analyze such client-end TLS proxies. Using the framework, they performed a thorough analysis of eight antivirus and four parental-control applications for Windows that act as TLS proxies, along with two additional products that only import a root certificate.
The researchers' systematic analysis revealed that several of these tools severely affect TLS security on their host machines. In particular, they found that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack directly out-of-the-box, and two more are vulnerable if TLS filtering is enabled. Several of these tools also mislead browsers into believing that a TLS connection is more secure than it actually is, for example, by artificially upgrading a server's TLS version from the browser's perspective. This research is intended to highlight new risks introduced by TLS interception tools, which are possibly used by millions.
This document is available in the following language(s):
OPC Funded Project
This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.
1455 De Maisonneuve Blvd. W.
Main Telephone: 514-848-2424
- Date modified: