The National Security Agency (NSA) has issued a warning examining the risks behind the Transport Layer Security Inspection (TLSI) and providing measures to address the lack of security in organizations using TLSI products.
TLSI (also known as TLS break and inspect) is the process by which companies can inspect encrypted traffic with the help of special systems, such as a proxy, a firewall, Intrusion Detection or Prevention Systems (IDS / IPS), which can decrypt and re-encrypt TLS-encrypted traffic.
Some companies use this technique to monitor potential threats, such as data interception, active command and control (C2) channels, or the delivery of malicious software via encrypted traffic. However, this is risky as TLSI products for businesses that do not properly validate TLS certificates weaken the end-to-end protection provided by TLS encryption to end users, dramatically increasing the likelihood that threat agents will target them through man-in-the-middle (MiTMP) attacks.
More measures to address the risks associated with the use of devices TLSI on a corporate network provided by the NSA as part of its security briefing titled Managing risk from Transport Layer Security Inspection.
Remedies described in the PDF can reduce the risks of using TLSI, provide indicators to alert administrators if TLSI implementation has been breached, and minimize unintentional obstruction of legitimate network activity.
Cybersecurity and Infrastructure Security Agency (CISA) also issued a warning about the risks associated with HTTPS inspection in March of 2017, stating that generally organizations considering HTTPS use should carefully consider the advantages and disadvantages of these products before implementing them.
A list of potentially affected software used for TLSI compiled by CERT / CC analyst for Will Dormann vulnerability is available here.