The company Cloudflare introduced the mitmengine library used to detect HTTPS traffic interception, as well as the Malcolm web service for visual analysis of the data accumulated in Cloudflare.
The code is written in the Go language and is distributed under the BSD license. Cloudflare's traffic monitoring using the proposed tool showed that approximately 18% of HTTPS connections are intercepted.
HTTPS interception
In most cases, HTTPS traffic is intercepted on the client side due to the activity of various local antivirus applications, firewalls, parental control systems, malware (to steal passwords, replace advertising or launch mining code) or corporate traffic inspection systems.
Such systems add your TLS certificate to the list of certificates on the local system and they use it to intercept protected user traffic.
Customer requests transmitted to the destination server on behalf of the interception software, after which the client is answered within a separate HTTPS connection established using the TLS certificate from the interception system.
In some cases, interception is organized on the server side when the owner of the server transfers the private key to a third partyFor example, the reverse proxy operator, the CDN or DDoS protection system, which receives requests for the original TLS certificate and transmits them to the original server.
In any case, HTTPS interception undermines the chain of trust and introduces an additional link of compromise, leading to a significant decrease in the level of protection connection, while leaving the appearance of the presence of protection and without causing suspicion to users.
About mitmengine
To identify HTTPS interception by Cloudflare, the mitmengine package is offered, which installs on the server and allows HTTPS interception to be detected, as well as determining which systems were used for the interception.
The essence of the method for determining interception by comparing the browser-specific characteristics of TLS processing with the actual connection state.
Based on the User Agent header, the engine determines the browser and then evaluates whether the TLS connection characteristicssuch as TLS default parameters, supported extensions, declared cipher suite, cipher definition procedure, groups, and elliptic curve formats correspond to this browser.
The signature database used for verification has approximately 500 typical TLS stack identifiers for browsers and interception systems.
Data can be collected in passive mode by analyzing the content of the fields in the ClientHello message, which is broadcast openly before the encrypted communication channel is installed.
TShark from Wireshark 3 network analyzer is used to capture traffic.
The mitmengine project also provides a library for integrating intercept determination functions into arbitrary server handlers.
In the simplest case, it is enough to pass the User Agent and TLS ClientHello values of the current request and the library will give the probability of interception and the factors based on which one or another conclusion was made.
Based on traffic statistics passing through the Cloudflare content delivery network, which processes approximately 10% of all Internet traffic, a web service is launched that reflects the change in intercept dynamics per day.
For example, a month ago, interceptions were recorded for 13.27% of the compounds, on March 19, the figure was 17.53%, and on March 13 it reached a peak of 19.02%.
comparative
The most popular interception engine is Symantec Bluecoat's filtering system, which accounts for 94.53% of all identified intercept requests.
This is followed by the reverse proxy of Akamai (4.57%), Forcepoint (0.54%) and Barracuda (0.32%).
Most of the parental control and antivirus systems were not included in the sample of identified interceptors, as not enough signatures were collected for their exact identification.
In 52,35% of the cases, the traffic of the desktop versions of the browsers was intercepted and in 45,44% of the browsers for mobile devices.
In terms of operating systems, the statistics are as follows: Android (35.22%), Windows 10 (22.23%), Windows 7 (13.13%), iOS (11.88%), other operating systems (17.54%).
Source: https://blog.cloudflare.com