Cloudflare has announced the release of two new HTTPS interception tools. These tools would help detect if the secure connection to a website has been intercepted in any way.
In a report dated March 18, 2019, Bleeping Computer states, “Cloudflare announced the release of two new tools designed to make it simpler to check if TLS connections to a website have been intercepted, to detect vulnerable clients and potentially notify them when their security is compromised or degraded.”
The two tools introduced include MITMEngine, an open source library for HTTPS interception detection, and MALCOLM, a dashboard displaying metrics about HTTPS interception observed on Cloudflare’s network.
A Cloudflare blog post, dated 18 Mar 2019 discusses HTTPS interception and the two newly introduced tools in detail. The blog post explains what MITMEngine is; it says, “MITMEngine is a Golang library that ingests User Agents and TLS Client Hello fingerprints, then returns the likelihood of HTTPS interception and the factors used to identify interception.”
It further says, “MITMEngine works by comparing the values in an observed TLS Client Hello to a set of known browser Client Hellos.”
As regards the other tool MALCOLM, the blog post states, “To complement MITMEngine, we also built a dashboard, MALCOLM, to apply MITMEngine to a sample of Cloudflare’s overall traffic and observe HTTPS interception in the requests hitting our network.”
HTTPS/TLS interception can either be malicious or benign in nature. HTTPS interception could happen due to various reasons. It could happen because of antivirus and corporate proxies, malware proxies, leaky proxies or reverse proxies, all of which have been discussed in detail in the Cloudflare blog post, which also dwells in detail on the need for continued examination of HTTPS interception.
The Cloudflare post explains that detecting HTTPS interception could help servers identify suspicious or potentially vulnerable clients that are connecting to the network. This knowledge can then be used to inform users that their connection security might be compromised. It’s pointed out that HTTPS interception increases the surface area of the system, making it a better target for hackers who are on the lookout for systems they can attack.
Another aspect that Cloudflare experts point out is that the presence of content inspection systems would weaken the security of TLS connections and at the same time hinder the adoption of new innovations and improvements to TLS. The blog post explains, “Users connecting through older middleboxes may have their connections downgraded to older versions of TLS the middleboxes still support, and may not receive the security, privacy, and performance benefits of new TLS versions, even if newer versions are supported by both the browser and the server.”
Studies show that HTTPS interception, which has a great impact on security, is really widespread. In this context, the release of the new tools, which help detect and analyze intercepted TLS connections in a better way, becomes highly relevant.