1. The Security Impact of HTTPS Interception 2017 Measurement NDSS TLS
    Z. Durumeric and Z. Ma and D. Springall and R. Barnes and N. Sullivan and E. Bursztein and M. Bailey and J. A. Halderman and V. Paxson
    [View PDF on jhalderm.com]
    [Show BibTex Citation]

    author = {Zakir Durumeric and
    Zane Ma and
    Drew Springall and
    Richard Barnes and
    Nick Sullivan and
    Elie Bursztein and
    Michael Bailey and
    J. Alex Halderman and
    Vern Paxson},
    title = {The Security Impact of {HTTPS} Interception},
    booktitle = {24th Annual Network and Distributed System Security Symposium, {NDSS}
    2017, San Diego, California, USA, February 26 - March 1, 2017},
    year = {2017},
    url = {https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/security-impact-https-interception/},
    timestamp = {Tue, 16 Jan 2018 15:44:17 +0100},
    biburl = {https://dblp.org/rec/bib/conf/ndss/DurumericMSBSBB17},
    bibsource = {dblp computer science bibliography, https://dblp.org}

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and clientside security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.