Google and Mozilla's message to AV and security firms: Stop trashing HTTPS

Researchers call out antivirus and security appliance vendors for dangerous SSL inspection practises.
Written by Liam Tung, Contributing Writer

In its evaluation of popular AV products, the study finds that 13 of 29 intercept TLS connections and all but one degrades client security.

Image: Zakir Durumeric et al

A surprisingly large number of antivirus and security products are undermining HTTPS connections and exposing browser users to decryption attacks, according to a study by researchers at Google, Mozilla, Cloudflare, and several US universities.

Thanks to a multi-pronged effort to enable HTTPS everywhere, as of January half the world's traffic on the web is encrypted using the secure TCP/IP HTTPS protocol.

However, while HTTPS or HTTP over transport layer security (TLS) is growing, so too are the number of security appliances and antivirus products that intercept TLS connections to inspect network traffic.

The study finds there is "more than an order of magnitude" of HTTPS interception happening than previously thought, and that vendors are poorly handling inspection after a so-called "TLS handshake", where antivirus or network appliances "terminate and decrypt the client-initiated TLS session, analyze the inner HTTP plaintext, and then initiate a new TLS connection to the destination website".

Looking at eight billion TLS handshakes generated by Chrome, Safari, Internet Explorer, and Firefox, the researchers found interception happening on four percent of connections to Mozilla's Firefox update servers, 6.2 percent of e-commerce sites, and 10.9 percent of US Cloudflare connections.

Of those that were intercepted, the study shows that 97 percent of Firefox, 32 percent of e-commerce, and 54 percent of Cloudflare connections became less secure, while a large chunk also used weak cryptographic algorithms and advertised support for broken ciphers, making it easier for an attacker on the network to decrypt traffic.

"Our results indicate that HTTPS interception has become startlingly widespread, and that interception products as a class have a dramatically negative impact on connection security. We hope that shedding light on this state of affairs will motivate improvements to existing products, advance work on recent proposals for safely intercepting HTTPS and prompt discussion on long-term solutions," they write.

They also find that the default settings on 11 of 12 network appliances tested introduce severe flaws, such as incorrectly validating certificates, while 24 of 26 antivirus products introduce one or more security flaws.

In an evaluation of antivirus products that feature TLS interception, only Avast AV 11 and AV 10 score an A grade, while all others score a C or F. They award a C to products containing a known TLS vulnerability, such as BEAST, FREAK, and Logjam; or an F for products with a severely broken connection due to weak ciphers or not validating certificates.

Other products graded are from AVG, Bitdefender, Bullguard, Cybersitter, Dr Web, ESET, G Data, Kaspersky, KinderGate, Net Nanny, PC Pandora, and Qustodio.

Similarly on the appliance side, only Blue Coat's ProxySG 6642 scored an A. Others products are from A10, Barracuda, Checkpoint, Cisco, Forcepoint Websense, Fortinet, Juniper, Microsoft, Sophos, Untangle, and WebTitan.

The researchers urge antivirus vendors to stop intercepting HTTPS altogether, since the products already have access to the local filesystem, browser memory, and content loaded over HTTPS.

Additionally, they charge all security companies with acting "negligently".

"Many of the vulnerabilities we find in antivirus products and corporate middleboxes, such as failing to validate certificates and advertising broken ciphers, are negligent and another data point in a worrying trend of security products worsening security rather than improving it," they write.

The study is likely to give ammunition to Chrome and Firefox developers who've criticized antivirus firms for undermining browser security features and introducing more security risks to users.

Google's Project Zero, for example, recently found a bug in Kaspersky's TLS inspection that resulted in browsers not flagging an error if a user connected to the wrong site.

Read more about antivirus and security

Editorial standards