Monsters in the Middleboxes: Building Tools for Detecting HTTPS Interception

Conference:  BlackHat USA 2019



TLS interception is a serious threat to network security and heuristics based on HTTP and TLS fingerprints can be effective at detecting it.
  • TLS terminated middleboxes pose serious threats to network security
  • Avoid HTTP interception if possible
  • Middleboxes performing interception should be held at the same security standards as browsers
  • Heuristics based on HTTP and TLS fingerprints can be effective at detecting HTTPS interception
  • Detecting interception is the first step to holding middleboxes accountable
The speaker showed a graph indicating that about 17% of traffic has been intercepted, with certain devices being intercepted more than others. They also demonstrated a dashboard that allows for filtering by fields like browser and operating system, and plan to add more features like filtering by country. They encourage feedback and feature requests for their open source tool and public dashboard.


The practice of HTTPS interception continues to be commonplace on the Internet. In a basic HTTPS connection, a browser (client) establishes a TLS connection directly to an origin server to send requests and download content. However, many connections on the Internet are not directly from a browser to the server serving the website, but instead traverse through some type of proxy or middlebox (a "monster-in-the-middle" or MITM). There are many reasons for a MITM to exist on a connection, both malicious and benign. Past research has shown that HTTPS interception is prevalent on the Internet and that it often degrades the security of Internet connections. A server that refuses to negotiate weak cryptographic parameters should be safe from many of the risks of degraded connection security, but there are plenty of reasons why a server operator may want to know if HTTPS traffic from its clients has been intercepted.First, detecting HTTPS interception can help a server to identify suspicious or potentially vulnerable clients connecting to its network. A server can use this knowledge to notify legitimate users that their connection security might be degraded or compromised. HTTPS interception also increases the attack surface area of requests between intercepted clients and servers, and presents an attractive target for attackers to violate the integrity and confidentiality of data between these two parties.Second, the presence of content inspection systems can not only weaken the security of TLS connections, but it can hinder the adoption of new innovations and improvements to TLS. Users connecting through TLS-terminating middleboxes may have connections downgraded to older versions of TLS still supported by the middleboxes; and therefore, may not receive the security, privacy, and performance benefits of new TLS versions. This can happen even if newer versions are supported by both the browser and server.In this talk, we will provide an overview of the various forms of HTTPS interception, the development of an open-source HTTPS interception detection tool, along with the insights we observed and want to share with the security community. (Check out the tool at: https://github.com/cloudflare/mitmengine).