US-CERT published another bad article

https://www.us-cert.gov/ncas/alerts/TA17-075A

Last time it was GRIZZLY STEPPE, this time they're saying that TLS inspection is bad. Let's start by explaining what they're talking about.
Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers.
This is essentially your basic SSL/TLS man-in-the-middle attack, but in an approved fashion. On an enterprise web-proxy, this allows you to do all kinds of wonderful things, like monitor C2 over HTTPS, or even detect delivery of malicious payloads from HTTPS-enabled websites.

So why is US-CERT saying this is dangerous?
All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected.
They just used a terrible word: "potentially". Why is this a bad word? Because its meaning has no value in terms of estimative probability - it just means "greater-than-0% probability", which is worthless. For more on this subject, read:


But here's the real reason this article is dumb: the headline is immediately contradicted by the content!
Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.
They're saying that as long as the product behaves the way it's supposed to behave and validates SSL/TLS sessions like it's supposed to, then everything is fine!

So what could they have done better? Well, a less FUD-ly headline would be nice. Something along the lines of "Some SSL/TLS-Inspection Proxies Do Not Sufficiently Obey SSL/TLS Paradigms".


So what can you do about it? Don't listen to US-CERT for one. These are the same clowns that published GRIZZLY STEPPE, one of the worst CND/CTI products since Norse. But second, when you see things like this in the news, read the full source because the headlines often don't sufficiently convey the message.

Bonus: For a great example of bad headlines and bad words of estimative probability, read https://en.wikipedia.org/wiki/Words_of_estimative_probability#Policy_and_intelligence_failures_related_to_WEPs.

Comments

Popular posts from this blog

Yara and Rich Headers are full of win

"It's Not All Black And White" or "Why You Should Switch From Blacklisting To Whitelisting"

Operation Cloud Hopper