A disturbing trend in corporate IT departments everywhere is the introduction of SSL inspection proxies. This blog post explores some of the ethical concerns about such proxies and proposes a provider-side technology solution to allow clients to detect their presence and alert end-users. If you’re well-versed in concepts about HTTPS, SSL/TLS, and PKI, please skip down to the section entitled ‘Proposal’.
For starters, e-commerce and many other uses of the public Internet are only possible because the capability for encryption of messages to exist. The encryption of information across the World Wide Web is possible through a suite of cryptography technologies and practices known as Public Key Infrastructure (PKI). Using PKI, servers can offer a “secure” variant of the HTTP protocol, abbreviated as HTTPS. This variant itself encapsulates other application level protocols, like HTTP, using a transport-layer protocol called Secure Socket Layer (SSL), which as since been superseded by a similar, more secure version, Transport Layer Security (TLS). Most users of the Internet are familiar with the symbolism common with such secure connections: when a user browses a webpage over HTTPS, usually some visual iconography (usually a padlock) as well as a stark change in the presentation of the page’s location (usually a green indicator) show the end-user that the page was transmitted over HTTPS.
SSL/TLS connections are protected in part by a server certificate stored on the web server. Website operators purchase these server certificates from a small number of competing companies, called Certificate Authorities (CA’s), that can generate them. The web browsers we all use are preconfigured to trust certificates that are “signed” by a CA. The way certificates work in PKI allows certain certificates to sign, or vouch for, other certificates. For example, when you visit Facebook.com, you see your connection is secure, and if you inspect the message, you can see the server certificate Facebook presents is trusted because it is signed by VeriSign, and VeriSign is a CA that your browser trusts to sign certificates.
So… what is an SSL Inspection Proxy? Well, there is a long history of employers and other entities using technology to do surveillance of the networks they own. Most workplace Internet Acceptable Use Policies state clearly that the use of the Internet using company-owned machine and company-paid bandwidth is permitted only for business use, and that the company reserves the right to enforce this policy by monitoring this use. While employers can easily review and log all unencrypted that flows over their networks, that is any request for a webpage and the returned rendered output, the increasing prevalence of HTTPS as a default has frustrated employers in recent years. Instead of being able to easily monitor the traffic that traverses their networks, they have had to resort to less-specific ways to infer usage of secure sites, such as DNS recording.
(For those unaware and curious, the domain-name system (DNS) allows client computers to resolve a URL’s name, such as Yahoo.com, to its IP address, 22.214.171.124. DNS traffic is not encrypted, so a network operator can review the requests of any computers to translate these names to IP addresses to infer where they are going. This is a poor way to survey user activity, however, because many applications and web browsers do something called “DNS pre-caching”, where they will look up name-to-number translations in advance to quickly service user requests, even if the user hasn’t visited the site before. For instance, if I visited a page that had a link to Playboy.com, even if I never click the link, Google Chrome may look up that IP address translation just in case I ever do in order to look up the page faster.)
So, employers and other network operators are turning to technologies that are ethically questionable, such as Deep Packet Inspection (DPI), which looks into all the application traffic you send to determine what you might be doing, to down right unethical practices of using SSL Inspection Proxies. Now, I concede I have an opinion here, that SSL Inspection Proxies are evil. I justify that assertion because an SSL Inspection Proxy causes your web browser to lie to it’s end-user, giving them a false assertion of security.
What exactly are SSL Inspection Proxies? SSL Inspection Proxies are servers setup to execute a Man-In-The-Middle (MITM) attack on a secure connection, on behalf of your ISP or corporate IT department snoops. When such a proxy exists on your network, when you make a secure request for https://www.google.com, the network redirects your request to the proxy. The proxy then makes a request to https://www.google.com for you, returns the results, and then does something very dirty — it creates a lie in the form of a bogus server certificate. The proxy will create a false certificate for http://www.google.come, sign it with a different CA it has in its software, and hand the response back. This “lie” happens in two manners:
- The proxy presents itself as the server you request, instead of the actual server you requested.
- The proxy states the certificate handed back with the page response is a different one than what was actually handed back by that provider, http://www.google.com in this case.
This interchange would look like this:
It sounds strange to phrase the activities of your own network as an “attack”, but this type of interaction is precisely that, and it is widely known in the network security industry as a MITM attack. As you can see, a different certificate is handed back to the end-user’s browser than what http://www.example.com in the above image. Why? Well, each server certificate that is presented with a response is used to encrypt that data. Server certificates have what is called a “public key” that everyone knows which unique identifies the certificate, and they also have a “private key”, known only by the web server in this example. A public key can be used to encrypt information, but only a private key can decrypt it. Without an SSL Inspection Proxy, that is, what normally happens, when you make a request to http://www.example.com, example.com first sends back the public key of the server certificate for its server to your browser. Your browser uses that public key to encrypt the request for a specific webpage as well as a ‘password’ of sorts, and sends that back to http://www.example.com. Then, the server would use its private key to decrypt the request, process it, then use that ‘password’ (called a session key) to send back an encrypted response. That doesn’t work so well for an inspection proxy, because this SSL/TLS interchange is designed to thwart any interloper from being able to intercept or see the data transmitted back and forth.
The reason an SSL Inspection Proxy sends a different certificate back is so it can see the request the end-user’s browser is making so it knows what to pass on to the actual server as it injects itself as a proxy to this interchange. Otherwise, once the request came to the proxy, the proxy could not read it, because the proxy wouldn’t have http://www.example.com’s private key. So, instead, it generates a public/private key and makes it appear like it is http://www.example.com’s server certificate so it can act on its behalf, and then uses the actual public key of the real server certificate to broker the request on.
The reason an SSL Inspection Proxy can even work is because it signs a fake certificate it creates on-the-fly using a CA certificate trusted by the end user’s browser. This, sadly, could be a legitimate certificate (called a SubCA certificate), which would allow anyone who purchases a SubCA certificate to create any server certificate they wanted to, and it would appear valid to the end-user’s browser. Why? A SubCA certificate is like a regular server certificate, except it can also be used to sign OTHER certificates. Any system that trusts the CA that created and signed the SubCA certificate would also trust any certificate the SubCA signs. Because the SubCA certificate is signed by, let’s say, the Diginotar CA, and your web browser is preconfigured to trust that CA, your browser would accept a forged certificate for http://www.example.com signed by the SubCA. Thankfully, SubCA’s are frowned upon and increasingly difficult for any organization to obtain because they do present a real and present danger to the entire certificate-based security ecosystem.
However, as long as the MITM attacker (or, your corporate IT department, in the case of an SSL Inspection Proxy scenario) can coerce your browser to trust the CA used by the proxy, then the proxy can create all the false certificates it wants, sign it with the CA certificate they coerced your computer to trust, and most users would never notice the difference. All the same visual elements of a secure connection — the green coloration, the padlock icon, and any other indicators made by the browser, would be present. My proposal to thwart this:
Website operators should publish a hash of the public key of their server certificates (the certificate thumbprint) as a DNS record. For DNS top-level domains (TLD’s) that are protected with DNSSEC, as long as this DNS record that contains the has for http://www.example.com is cryptographically signed, the corporate IT department of local clients nor a network operator could forge a certificate without creating a verifiable breach that clients could check for and then warn to end users. Of course, browsers would need to be updated to do this kind of verification in the form of a DNS lookup in conjunction with the TLS handshake, but provided their resolvers checked for an additional certificate thumbprint DNS record anyway, this would be a relatively trivial enhancement to make.
EDIT: (April 15, 2013): There is in fact an IETF working group now addressing this proposal, very close to my original proposal! Check out the work of the DNS-based Authentication of Named Entities (DANE) group here: http://datatracker.ietf.org/wg/dane/ – on February 25, they published a working draft of this proposed resolution as the new “TLSA” record. Great minds think alike.