Tuesday, 26 November 2019 19:18:00 (UTC/GMT)
I recently stumbled across an NSA Cyber Advisory titled
Managing Risk from Transport Layer Security Inspection
after first learning about it through Jonas Lejon’s blog post
NSA varnar för TLS-inspektion (Swedish).
I read the NSA report with great interest since I wanted to see how our own TLS interception tool
PolarProxy stands up to the risks identified in the advisory.
I highly respect the NSA’s knowledge in the fields of cryptography and security,
which is why I read the advisory as if it was the definite guide on how to perform TLS inspection in a secure manner.
However, towards the end of the advisory I got stuck on this paragraph, which I was unable to understand:
HTTP Strict Transport Security (HSTS) includes a security feature that binds the HTTP session to the specific TLS session used. TLSI systems that ignore the underlying HTTP headers will cause HSTS sessions to be rejected by the client application, the server, or both.
WUT?!?! HSTS (RFC 6797) is designed to protect against attacks like
Moxie Marlinspike’s 10 year old
which fools the client into using unencrypted HTTP instead of HTTPS.
As far as I know, HSTS does not support binding an HTTP session to a specific TLS session.
What is HSTS?
HSTS is a simple HTTP header sent by the web server to inform the browser that it should only load the site using HTTPS.
The header can look like this:
strict-transport-security: max-age=47111337; includeSubDomains; preload
Image: NetworkMiner 2.5 showing HSTS headers from HTTP/1.1 and HTTP/2 traffic
The PCAP file loaded into
NetworkMiner in screenshot above contains HTTPS traffic
that has been decrypted by PolarProxy.
You can also use Wireshark or tshark to find HSTS headers by using the following display filter:
http.response.line matches "Strict-Transport-Security" or http2.header.name matches "Strict-Transport-Security"
Notice the use of “matches” to get case insensitive matching of “Strict-Transport-Security” and
the duplicated statements required to get the filter to match headers in both HTTP/1.1 and HTTP/2.
Back to the NSA Advisory
I simply couldn’t understand NSA’s statement about the HSTS “security feature” that binds the HTTP session to the specific TLS session used,
because I’m not aware of any such feature in HSTS and my google-fu was to weak to find any such feature.
I therefore resorted to
asking folks on Twitter if they knew about this feature.
Nick Sullivan (Head of Research and Cryptography at Cloudflare)
kindly replied on twitter that they probably mean
“Token Binding” (RFC 8471).
Peter Wu (Wireshark core developer and TLS expert) additionally
replied that the NSA perhaps were referring to the Sec-Token-Binding header name in RFC 8473
(which has nothing to do with HSTS).
Backed by these two experts in TLS and HTTPS I can confidently conclude that the authors of the NSA’s Transport Layer Security Inspection (TLSI) advisory have either misunderstood what HSTS is or made some form of typo.
I have reported this error to the NSA, but have not yet received any response.
Other Issues in NSA’s TLSI Advisory
This experience dented my faith in the TLS expertise of the NSA in general and in particular the authors of this advisory.
I therefore decided to re-read the TLSI advisory, but this time without the “NSA knows this stuff” glasses I had on before.
This time I found several additional claims and statements, which I didn’t agree with, in the four page advisory.
To start with, the first figure in the document depicts two setups where one is allowing end-to-end encryption
between the client and server, while the other is using TLS inspection.
Image: Encrypted Traffic (top) and TLS Inspection (bottom) as shown in NSA’s TLSI advisory
In the end-to-end setup we see the malicious traffic passing straight to the client,
while in the second setup the malicious traffic is blocked by the TLSI device.
This image is accompanied by the following text:
A TLSI capability implemented within a forward proxy between the edge of the enterprise network and an external network such as the Internet protects enterprise clients from the high risk environment outside the forward proxy.
My experience is that blocking traffic in this way is more likely to provide a false sense of security
than improved protection against malware.
It is better to use TLSI to detect intrusions than to try to block them.
This probably sounds counter-intuitive, as you might reason that
“if you can detect it, why can't you prevent it?”.
I’m not going to go into a lengthy explanation of the “Prevention Eventually Fails” paradigm here,
instead I’d recommend reading Richard Bejtlichs book “The Tao of Network Security Monitoring” or his more recent book
“The Practice of Network Security Monitoring”.
You can also read Richards blog post about
”The Problem with Automated Defenses”
or Phil Hagen’s
“What to Do When Threat Prevention Fails”.
TLSI products should primarily be used to provide visibility in order to detect and respond to malware and intrusions.
Many TLSI products can block some attacks, but they don’t really provide perimeter security.
Unfortunately the NSA advisory might further strengthen this false sense of security with the mentioned image and accompanying text.
DO IT WELL, DO IT ONCE
The NSA advisory states:
To minimize the risks described above, breaking and inspecting TLS traffic should only be conducted once within the enterprise network. Redundant TLSI, wherein a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same, should not be performed.
In general, I agree with this statement. Unfortunately many TLSI products do not “do it well”,
which is why “do it once” is not always enough.
One such situation is when a PC is believed to be infected with malware, but further investigation is required to know for sure.
Many TLSI products apply lock-in techniques that prevent incident responders from analyzing the decrypted traffic with external tools.
This forces IR teams to add an extra TLS proxy when their enterprise TLSI product does not provide sufficient visibility.
PolarProxy is, in fact, designed to support that type of agile TLSI deployment,
in order to enable decryption and inspection of TLS traffic from a particular machine during an incident.
Final Words about the Advisory and TLS Inspection
Even through this blog post criticizes parts of the NSA TLSI advisory,
I’d still like to end with saying that it also brings a lot of good stuff to the table.
The issues mentioned in this blog post are actually just minor ones,
which hopefully won’t have any negative impact on future TLSI deployments.
In fact, the positive aspects of the advisory by far outweighs the negative ones.
I also hope this blog post can help get more discussions going about TLS inspection,
such as if we need it, what problems it can solve and what risks we take by deploying it.
UPDATE, 16 December 2019
The NSA released an updated version of the advisory today (1U/OO/212028-19).
The advisory now says:
TLS Token Binding binds security tokens to the specific TLS session used.
TLSI systems can cause the sessions or tokens to be rejected by the client application,
the server, or both.
Hypertext Transfer Protocol Strict Transport Security (HSTS) requires that Hypertext Transfer Protocol over TLS (HTTPS) is used in the future with trusted certificates and that all content is received via HTTPS as well.
If a TLS client application attempts to follow the HSTS requirements but does not trust the separate TLSI CA, the client will reject the TLSI sessions and prevent users from clicking-through browser warnings.
Thanks for updating!
Posted by Erik Hjelmvik on Tuesday, 26 November 2019 19:18:00 (UTC/GMT)