Fighting Back Against SSL Interception (or How SSL Should Work) presented at BSidesDC 2014

by Jacob Thompson,

Summary : Enterprises increasingly deploy network security devices to intercept and inspect SSL-protected employee web traffic, often without adequate understanding on the employee's behalf, and almost certainly without the consent of the entity operating the server. Motivated by the cases of Trustwave, TURKTRUST, and ANSSI, where fraudulent sub-CAs chaining to trusted roots were loaded into SSL interception devices, I examine how an HTTPS web server can (ab)use client certificate authentication to detect the presence of an SSL interception device and block connections traveling through one of these devices. I show how browsers' built-in certificate enrollment capabilities, well-understood in academia but rarely used in practice, can be leveraged to achieve a mild form of mutual authentication relatively painlessly. Using this technique, the server, too, now has a say in whether its traffic can be intercepted and inspected.