TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

Enterprises buying TLS proxies to improve their network security could easily be making things worse, according to Canadian research out this week.

The analysis is depressing enough on its own, but it comes from a group with a long history of demonstrating insecurity in TLS (Transport Layer Security) proxies: Concordia University's Concordia Institute of Systems Engineering.

In 2016, associate professor Mohammad Mannan worked with Xavier de Carné de Carnavalet, and the pair got their teeth into the meat of home-level proxies, concluding that none were secure. At the time, El Reg hoped "De Carnavalet and Mannan get the chance to repeat their tests against corporate proxies, and will keep some popcorn for just such an event".

It's popcorn time: Mannan is still at Concordia, he's now spent more than a year with enterprise kit, and together with associate prof Amr Youssef and co-researcher Louis Waked, has turned up a lovely set of new proxy vulnerabilities.

In this paper at arXiv, published on 24 September, even the abstract makes for depressing reading: "We found that four appliances perform no certificate validation at all, three use pregenerated certificates, and 11 accept certificates signed using MD5, exposing their clients to MITM attacks."

To evaluate enterprise-level TLS proxies, Mannan et al created and published certificate validation test tools, and applied those tests to 13 products (from open source all the way up to Switchzilla).

The products tested were Untangle's next generation firewall, NetGate's pfSense, TitanHQ's WebTitan Gateway, Microsoft's TMG, Entensys' UserGate, Cisco's Ironport WSA, the Sophos UTM, TrendMicro's InterScan, the McAfee Web Gateway, Cacheguard's Web Gateway, Deciso's OpnSense, Comodo's Dome firewall, and the Endian firewall.

As well as performing certificate validation tests, the researchers tested all products for mitigation against known attacks like BEAST, CRIME, FREAK, Logjam, and Insecure Renegotiation from 2009.

Only pfSense and McAfee were verifiably secure against BEAST, but in a sliver of good news, "all the appliances are patched against FREAK, Logjam, CRIME, and Insecure Renegotiation".

Here are some of the other hopeless failings the researchers found:

• Ten appliances allowed TLS versions back as far as 1.0, and three reached back to the deprecated SSL 3.0. Microsoft, however, took the cake, supporting only TLS 1.0 and SSL 3.0;
• All the appliances had RSA key issues, and only Microsoft handled hashes correctly;
• Eight products still supported the weak Triple-DES cipher suite.

Certificate validation was a mess pretty much everywhere, with researchers turning up many no-longer-trusted certificates in the products tested. Certificates issued by China's CNNIC, DigiNotar, TURKTRUST, France's ANSSI and WoSign, for example, abounded.

The researchers wrote that man-in-the-middle (MITM) attacks would be "trivial" against UserGate, WebTitan, Comodo and Endian products (since they don't validate certificates), as well as Cacheguard and Untangle (which accept self-signed certificates). Trend Micro, McAfee and Cacheguard could also be MITM'd because they all use pre-generated root keys.

If an attacker was a little more sophisticated, they could rely on hash collisions: "All appliances except Untangle and McAfee accept certificates signed using MD5, with WebTitan, Microsoft, UserGate, Cisco and Comodo also accept MD4."

We told you tests on enterprise TLS proxies would be fun... ®