How HTTPS Interception Works
Plaintext HTTP
TLS TLS
Client Middlebox Server
Server has certificate
for example.com
Middlebox generates
certificate for example.com
Administrator installs
new root certificate
Middlebox inspects
inner HTTP content
Types of HTTPS Interception
● Detect malware
● Detect C&C traffic
● Detect exfiltration
● Anti-terrorism
● Censorship
Antivirus/Corporate/Government
Types of HTTPS Interception
● Inject ads
● Steal private data
Malware
Types of HTTPS Interception
Leaky Proxies
● Product features
● Convenience
Types of HTTPS Interception
Reverse Proxies
● Security
● Performance
● Reliability
Detecting HTTPS Interception [Durumeric et al., 2017]
Plaintext HTTP
TLS TLS
Client Middlebox Server
HTTP User Agent: Chrome
HTTP:
TLS: ?
Server can detect
mismatch between layers
Identifying HTTP and TLS Clients
HTTP
Parse User Agent Header
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/75.0.3770.100 Safari/537.36
5. [Durumeric et al.; 2017]
6. [Althouse & Atkinson, Atkins; 2017]
7. [Frolov, Wustrow; 2019]
8. [...and others]
1. [Ristić; 2009]
2. [Majkowski; 2012]
3. [Brotherston; 2015]
4. [Anderson, McGrew; 2016]
TLS
No identifying field is present in the protocol. Instead, use known techniques for
fingerprinting browsers based on TLS Client Hello.
TLS Handshake (RFC 5246)
TLS libraries tend to keep these fields the same!
TLS Fingerprinting based on Client Hello
[...]
[...]
[...]
MITMEngine: HTTPS Interception Detection Library
Open sourced at https://github.com/cloudflare/mitmengine. PRs welcome!
● Goal #1: Maintainability
○ Fingerprints quickly go stale with browser updates
○ Time-consuming to generate new fingerprints manually
○ Goal is to automatically generate ground truth fingerprints from Cloudflare’s network
● Goal #2: Flexibility
○ Currently support a flexible fingerprint format to model a variety of browser behavior
○ Plan to add support for other TLS fingerprint formats (JA3, tlsfingerprint.io)
● Goal #3: Performance
○ The system should be fast enough to deploy at scale
○ Currently deployed on a sample of Cloudflare traffic
MALCOLM: Overall HTTPS Interception Rates
MALCOLM: HTTPS Interception by Browser/OS
Case Study: Kazakhstan
● Summary of incident w/ live results at https://censoredplanet.org/kazakhstan
● KZ chooses which domains to MITM based on SNI (server name indication)
● Encrypted SNI (eSNI) is on the horizon -- makes selective interception harder
● New MALCOLM feature (soon): filter MITM results by country
KZ only
All
Black Hat Sound Bytes
TLS-terminating middleboxes pose serious threats to network security
Heuristics based on HTTP and TLS fingerprints can be effective at detecting
HTTPS interception
Our new open source tool and public dashboard provide new insights into the
state of HTTPS interception on the Internet
References
● [Ristić; 2009] HTTP client fingerprinting using SSL handshake analysis.
https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html
● [Majkowski; 2012] SSL fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f
● [Brotherston; 2015] TLS Fingerprinting: Smarter Defending & Stealthier Attacking.
https://blog.squarelemon.com/tls-fingerprinting/
● [Anderson, McGrew; 2016]. TLS Fingerprinting in the Real World.
https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world
● [Durumeric et al.; 2017] The Security Impact of HTTPS Interception.
https://jhalderm.com/pub/papers/interception-ndss17.pdf
● [Althouse, Atkinson, Atkins; 2017]. TLS Fingerprinting with JA3 and JA3S.
https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
● [Frolov, Wustrow; 2019]. Tlsfingerprint.io
● [Raman et al.; 2019] Kazakhstan’s HTTPS Interception. https://censoredplanet.org/kazakhstan
