Inspecting TLS Web Traffic - Part 2

2019-12-19T20:30:00
ID AKAMAIBLOG:6211A13B88F3313F9CBFB4DABB8A0459
Type akamaiblog
Reporter Jim Black
Modified 2019-12-19T20:45:04

Description

In the first blog post I covered why HTTPS web traffic has grown to unprecedented levels, provided a TLS primer and looked at the basic concept of intercepting and inspecting HTTPS web traffic with Man-In-The-Middle techniques (MITM). In the second part, I will dive a bit deeper into how the TLS MITM capability has been implemented in Akamai's Enterprise Threat Protector (ETP) service.

ETP TLS MITM Proxy Architecture

The basic concept of the ETP proxy is shown in the following diagram.

tlsone.png

The ETP Proxy is a "trusted intermediary" that is able to decrypt, inspect, and re-encrypt all TLS traffic from managed devices. This gives ETP visibility into TLS encrypted traffic and allows it to protect an enterprise from threats, while preserving confidentiality and integrity of traffic to origin web sites.

ETP Proxy uses a MITM Certificate Authority (CA) certificate to generate and sign MITM origin certificates for HTTPS web sites that go through it. For enterprise client computers to accept and trust these certificates, the MITM CA must be deployed on all enterprise computers.

ETP Proxy and TLS Certificates

To show how the Proxy in ETP operates and specifically how it handles TLS certificates, let's first look at how a normal TLS web request operates.

tlstwo.png

As can be seen in this example, the user has made a request to access https://www.facebook.com. As part of the handshake process between the client and the web server, the web server returns to the client an x.509 certificate to establish trust with the client - see the details of the certificate below.

tlsthree.png

As can be seen from the certificate, this was issued and signed by DigiCert Inc., a Certificate Authority or CA. The DigiCert High Assurance EV Root CA is a trusted System Root that is distributed with browsers.

Now let's examine what happens when that same request is made and intercepted by the ETP Proxy.

As part of the decryption process, the original certificate sent by the webserver is copied and resigned by Akamai as the Intermediate Root as seen in the following diagram.

tlsfour.png

The browser will display a security warning message as shown in the following diagram.

tlsfive.png

While users could simply ignore the security warnings and continue to the site, this is not a good security practice and will inevitably lead to user frustration, as the security warning will be displayed every time users visit a proxied HTTPs website.

Let us now look at how we fix the trust chain problem that causes this browser security warning.

Fixing Browser Security Warnings

There are two approaches to fixing the browser security warnings. These are:

  • Signing the Intermediate Certificate Authority with a Private Certificate Authority - this is the preferable method, as it is more secure and simpler to deploy. Use this method if you already have an Enterprise Root CA root certificate deployed on devices
  • Signing the Intermediate Certificate Authority with an Akamai Root CA and deploying that on all your devices - use this method if you don't have your own Private CA root certificate deployed on your devices.

Using an Existing Enterprise Root CA

To use a Private Certificate Authority, you must create a Certificate Signing Request (CSR) for the Intermediate Root. The CSR is created in the Akamai Control Center (portal) and signed by your private CA. Note that the issued certificate must be an Intermediate CA as opposed to a server or other certificate type.

The signed Intermediate Root CA certificate is then uploaded to the Akamai Control Center, which distributes the certificate to the Akamai Intelligent Platform's proxy machines.

The Root Certificate that is used to sign the Intermediate Certificate must be trusted by the device - this is indicated by the blue plus icon in the following figure. See the product documentation for more information.

tlssix.png

Using the Akamai CA

Another configuration option in ETP is to use an Akamai-signed certificate. To use the Akamai CA as an intermediate root certificate, you need to download the certificate from the Akamai Control Center (portal) and copy it into the trust store on every device.