Watch out for the Monster-in-the-Middle

Cloudflare has released a brace of tools designed to detect HTTPS interception that it hopes will aid community efforts to improve overall web security.

Many (secure) TLS connections on the internet are not directly from a browser to the server, but pass through a proxy of some type (a so-called “Monster-in-the-Middle”), which might be either malicious or benign.

Legitimate reasons for a client to connect through a forward proxy, for example, would be to allow antivirus software or data loss prevention tools to inspect otherwise encrypted data. The same class of technology also crops up in various strains of malware as a means to extract data.

Although HTTPS interception is prevalent on the internet, it often degrades the security of internet connections, even if it is benign, because it opens up the door to spoofing and connection security downgrade attacks.

This is particularly the case where a root certificate is installed on client devices, Cloudflare argues.

To give sysadmins better control of their enterprise environments, Cloudflare has released MITMEngine, an open source library for HTTPS interception detection.

It has also released MALCOLM, a dashboard displaying metrics about HTTPS interception, as observed on Cloudflare’s network.

MITMEngine (available via GitHub) can be added as a component of servers to bolt on an additional security control.

“Detecting HTTPS interception can help a server to identify suspicious or potentially vulnerable clients connecting to its network,” Cloudflare explains. “A server can use this knowledge to notify legitimate users that their connection security might be degraded or compromised.”

“The presence of content inspection systems can not only weaken the security of TLS connections, but it can hinder the adoption of new innovations and improvements to TLS,” it adds.

MITMEngine is a Golang library that takes in User Agents and TLS Client Hello fingerprints and returns the “likelihood of HTTPS interception and the factors used to identify interception”.

The tool works by “comparing the values in an observed TLS Client Hello to a set of known browser Client Hellos”, Cloudflare researchers Gabbi Fisher and Luke Valenta write in a technically-focused blog post.

MITMEngine contributes to the corpus of open source encryption audit tools. Other relevant efforts include EFF SSL Observatory, a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the web.