
BlueCoat and other proxies hang up during TLS 1.3 - coderobe
https://bugs.chromium.org/p/chromium/issues/detail?id=694593
======
JoshTriplett
Note that this happens even when using a BlueCoat proxy in non-MITM mode.
BlueCoat tries to "analyze" TLS connections, and rejects anything it doesn't
understand. This exact issue occurred with TLS 1.2 back when BlueCoat only
understood 1.1/1.0.

In this case, it doesn't sound like they're reverting it because of overall
breakage, but rather because it _breaks the tool that would otherwise be used
to control TLS 1.3 trials and other configuration_. Firefox had a similar
issue, where they temporarily used more conservative settings for their
updater than for the browser itself, to ensure that people could always obtain
updates that might improve the situation.

~~~
jessaustin
_This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1
/1.0._

Good grief! From David Benjamin's final comment:

 _Note these issues are always bugs in the middlebox products. TLS version
negotiation is backwards compatible, so a correctly-implemented TLS-
terminating proxy should not require changes to work in a TLS-1.3-capable
ecosystem. It can simply speak TLS 1.2 at both client <-> proxy and proxy <->
server TLS connections. That these products broke is an indication of defects
in their TLS implementations._

It's understandable that I've never heard of BlueCoat: clearly this product's
success is based more on selling to executives than on quality, and it has
been some time since I worked in an organization that had executives to sell
to.

~~~
semi-extrinsic
There was a paper posted on HN a few weeks back by some pretty serious
security researchers on the security risks of SSL MITM boxes.

[https://jhalderm.com/pub/papers/interception-
ndss17.pdf](https://jhalderm.com/pub/papers/interception-ndss17.pdf)

How do you fix this when you're naught but a humble employee? Well, a friend
of mine worked at a fairly large tech company where a salesguy for these boxes
had convinced the CTO they had to have them. Every tech-person "on the floor"
hated the idea, so before the boxes were installed they conspired on their
free time to write some scripts that ran lots of legitimate HTTPS traffic,
effectively DDOSing the boxes and bringing the company's internet to a crawl
for the day, like Google would take ten seconds to open. Then obviously
everyone (including the non-tech people) started calling the IT helpdesk
complaining that the internet was broken. MITM box salesguy then had to come
up with a revised solution, costing 20x more than his first offer, and that
was the end of that.

If you already are suffering under MITM boxes, a similar strategy with a slow
ramp-up in traffic might work.

~~~
cm2187
Yeah. This is a firable offense. The solution to your company MITM your
traffic is not to use your work computer for anything personal that matters.
It's not like if we had a shortage of devices to connect to the internet.

~~~
semi-extrinsic
If you live in a third-world country (or the US) which lacks basic functions
of society like employee protection, a sensible minimum wage, universal
healthcare, paid parental leave, etc., then yes, I don't recommend doing what
my friend did with employing a little "civil disobedience" in such cases.

TBH, for most techies I don't think opposition to MITM boxes comes down to "I
don't want them to catch me looking at cat photos" but more along the lines of
"this will actually reduce security as much as it improves it, and the
companies providing these products are also aiding repressive regimes and
human rights violations across the globe". Personally, I would find it
unethical for the company I work for to buy these products.

~~~
Anderkent
> Personally, I would find it unethical for the company I work for to buy
> these products.

Then leave the company in protest or convince it not to buy them. DDoSing the
company's network is somehow not unethical, I guess?

~~~
semi-extrinsic
I agree talking to IT is step 1, and I'm assuming that hasn't worked.

Collective action (strikes, "work slowly protests" etc.) as a protest against
company policy has a long precedent of a) being protected by law and b) being
much more effective than a single employee quitting, while simultaneously
reducing the downside for employees (in L_\infty norm).

Edit: the old Keynes quote comes to mind: "if you owe the bank $100 you have a
problem, but if you owe the bank $100 million the bank has a problem" \-- if 1
of the company's devs commits a "fireable offense", he/she has a problem, but
if 100 of them do, the company has a problem.

~~~
raesene6
However with collective action, the company is usually aware of their
employees actions, here if I'm reading correctly management were not notified
that this was happening, so perhaps not quote the same thing.

------
morecoffee
Amazing how this was predicted coming on a year ago*

> At this point it's worth recalling the Law of the Internet: blame attaches
> to the last thing that changed.

> There's a lesson in all this: have one joint and keep it well oiled.

> When we try to add a fourth (TLS 1.3) in the next year, we'll have to add
> back the workaround, no doubt. In summary, this extensibility mechanism
> hasn't worked well because it's rarely used and that lets bugs thrive.

* [https://www.imperialviolet.org/2016/05/16/agility.html](https://www.imperialviolet.org/2016/05/16/agility.html)

------
hannob
This is even crazier than people may think on the first look.

The TLS community knew that there would be problems with the deployment of TLS
1.3 with version intolerance, because there always have been. That's why the
version negotiation was changed and a mechanism called GREASE was invented to
avoid just such problems. But it seems BlueCoat has shown us that there's no
way to anticipate all the breakage introduced by stupid vendors.

The takeaway message is this: Avoid Bluecoat products at all costs. These
companies are harming the Internet and its progress.

------
xfs
The title was editorialized. TLS 1.3 is a working draft and Chromium is just
doing field trial with it.

A few days ago there were other issues with this causing Chromium to stop
working on *.google.com so it's not just about middle-boxes.

[https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=855434](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=855434)

[https://bugs.chromium.org/p/chromium/issues/detail?id=693943](https://bugs.chromium.org/p/chromium/issues/detail?id=693943)

~~~
the8472
TLS1.3 may be a working draft, correctly implementing TLS version negotiation
on the other hand is not as it already is a requirement of previous versions.

------
db48x
The long-term solution is simply not to work anywhere that insists on running
a MITM attack on all of your communications.

~~~
marcoperaza
Without an SSL MITM, Intrusion Detection Systems (IDS's) are much less
effective.

If you're using your company's network, then they have every right to monitor
all of the activity on it. They're trying to protect trade secrets, future
plans, customer data, employee records, etc. from attackers who would use that
information to do harm to the company, its customers, and its employees. If
you don't want your employer to know what you're doing, then don't use the
company computer or company network to do it. And while you may think that
you're too tech savvy to fall prey to malware 1) not everyone at your company
is, and 2) no amount of savvy will protect you from all malware, especially
ones that gain a foothold through an unpatched exploit. And there's also that
whole other can of worms: malicious employees.

~~~
riffic

      If you're using your company's network, then they have every right to monitor all of the activity on it.
    

This is tantamount to steaming open and resealing the envelopes of all
physical mail. Have some god damn ethics, I'd sooner quit than snoop traffic
in this manner.

~~~
btbuilder
All MITM proxies I know require an enterprise CA trusted by the end-point. If
that CA is on your machine the endpoint is probably owned by your employer. It
is legal in most jurisdictions for your employer to monitor the usage of
resources they have provided, be it computer or network.

I would never trust a company device, or company network, with anything I
consider sensitive. Use your own device and keep it on cellular.

Also though I don't like it, employers in the US do have the right to open
mail addressed to you personally if delivered to the office.

~~~
NoGravitas
Legal and ethical aren't the same thing, though. I agree it's legal for your
employer to monitor traffic on their network. But an ethical sysadmin would
not facilitate their doing so (unless there were a fairly significant and
unusual justification in context).

(Note: I would also never trust a company device or company network, and I
keep my personal devices completely separate from the company network for this
reason. But I consider this a workaround for a deplorable situation, rather
than just the way things are.)

~~~
btbuilder
Personally I think that is too simplistic a position and the reality is more
complex. Most people would agree that using this approach to spy on your
employees to track their banking activity is unethical. Using MITM-SSL as a
way to get visibility on certain APTs using products such as FireEye is
controversial, but I don't personally believe to be unethical.

I would argue against such an approach if there are alternatives but if the
organization's leaders were set on it I would engage with the process and make
sure that it did not evolve into more unethical practices such as logging all
traffic contents or the above banking example.

------
peterkelly
From [https://www.bluecoat.com/products-and-solutions/ssl-
visibili...](https://www.bluecoat.com/products-and-solutions/ssl-visibility-
appliance)

> _" Enterprise class Blue Coat’s SSL Visibility Appliance is comprehensive,
> extensible solution that assures high-security encryption. While other
> vendors only support a handful of cipher-standards, the SSL Visibility
> Appliance provides timely and complete standards support, with over 70
> cipher suites and key exchanges offered, and growing. Furthermore, unlike
> competitive offerings, this solution does not “downgrade” cryptography
> levels and weaken your organization’s security posture, putting it at
> greater risk. As the SSL/TLS standards evolve, so will the management and
> enforcement capabilities of the SSL Visibility Appliance."_

~~~
al2o3cr
Look, connections that can't be opened are obviously 100% secure. #sales
#winning

------
chaz6
It sounds like if you run a web server, you should think about only supporting
TLS 1.3 with no downgrade support, to ensure security without the possibility
of your visitors' being subject to interception by a third party (even if it
is their own enterprise).

~~~
chinathrow
That is entirely doable - if you don't care about enterprise/gov/school users
using such proxies.

------
pluma
If your (content filter, monitoring, anti-virus) software is indistinguishable
from malware, maybe it's malware.

~~~
phkahler
Particularly software that uses MITM against TLS.

------
duncans
Many a head-scratching web application error investigation has resulted in an
"a-ha" moment when you notice the `X-BlueCoat-Via` header in your logs. It
does stuff like issuing GETs against URLs that only have POST handlers. It
issues these random requests having procured its users' auth cookies even when
the real user has since left the site.

------
throw2016
There is a massive hypocrisy in browser vendors getting hysterical about self
signed certs while letting MITM proxies operate with impunity or worse working
with them.

Why isn't there an effort to detect MITM proxies and post equally scary
warnings? Surely users have a right to know.

MITM is worse than self signed certs and if 'exceptions' can be found for MITM
like corporate security, management etc then the same exceptions should be
found for self signed certs for individuals rather than creating dependencies
on CA 'authorities'. This just another instance of furthering corporate
interests while sacrificing individuals.

~~~
wolf550e
Why do you prefer a self signed certificate instead of using let's encrypt?

You can create a self signed CA and add it to trusted roots to avoid warnings.

~~~
throw2016
Because it does not rely on any 'authority'. The increasingly scary warnings
by browser vendors is in stark contrast to zero interest in detecting MITMs
and warning users. The next step could very well be the disabling the ability
to add exceptions for self signed certs.

Why not promote content encryption or explore other ideas that do not rely on
central authorities, and we can see there are always workaround for corporates
but individuals are thrown under the bus.

------
tehabe
I kinda hoped that TLS 1.3 had some magick in it so that those MITM proxies
would no longer work because they can be recognized by the browser and the
browser can say: how about no.

Also, wasn't there some security issues relating to the possibility to
downgrade the encryption of a connection?

------
mastax
Wouldn't it be better to allow enterprises to do version pinning (which I
believe used to be supported in chrome enterprise), rather than remove TLS 1.3
for everyone?

~~~
rasz_pl
You mean giving control back to the users of your software? Google doesnt play
like that. Motership knows best!

You cant even freeze chrome extensions.

------
shthed
I wish Chrome wouldn't show a site as 'Secure' if it can tell that the
connection is being MITM'd

~~~
jeroenhd
This is a good point. Google has added functionality so that user installed
certificates bypass all certificate pinning utilities, so users using these
tools are less protected. However, there is no indication of the network being
monitored once the certificate has been installed.

On Android every time a user-installed certificate authority is used a warning
is shown. Furthermore, the user is forced to set a lock screen the moment you
install a certificate.

If Google can push this (frankly user unfriendly) UI through, why not change
"Secure" into "Monitored" in Google Chrome? The green padlock is a lie and the
truth is exposed only after inspecting the certificate using the web developer
tools.

------
jessaustin
I guess in future, TLS upgrades will be opt-in?

~~~
discreditable
This is something the TLS spec authors have prepared against with GREASE. The
idea is the client adds some junk version information to its list of supported
protocols. To quote: "Correct server implementations will ignore these values
and interoperate. Servers that do not tolerate unknown values will fail to
interoperate with existing clients, revealing the mistake before it is
widespread."

[https://tools.ietf.org/html/draft-davidben-tls-
grease-00](https://tools.ietf.org/html/draft-davidben-tls-grease-00)

~~~
throwaway2048
This dosent really seem to solve anything, everyone now ignores the enumerated
GREASE values as they are reserved upfront, and will continue to cause
failures with other extended values. yay?

~~~
dvorak42
This at least means that the developer is aware that these parts of the spec
are extensible, and by explicitly ignoring the GREASE values are explicitly
choosing to potentially have a broken application in the future. This is a
different class of problems than developers who weren't aware certain fields
were extensible.

------
feld
Why doesnt google have a lab of MITM proxy equipment instead of testing
conformance in the wild?

------
dorfsmay
Browsers should add a button which allow being proxied, combined with a
campaign to educate people on the difference.

I think its reasonable for a company to want to filter everything that comes
through their pipe, if anything, it's a bit of a liability not to do it, but
at the same time, non-technical people should understand that their connection
is being unencrypted and re-encrypted, and be educated on the consequences.

There are a few local coffee shops which terminate SSL, and when people see me
closing my browser and laptop, or starting to tether through my phone because
of the cert error they tell me "oh, you just need to accept all those certs!".

------
komali2
Who's the guy with fifty thousand Chromebooks? Goodness.

~~~
nl
They actually have 120,000. ("Upwards of 50,000 (out of 120,000) Chromebooks
have updated to OS56.")

They also have 46,000 PCs. So yeah - pretty decent size...

------
dang
Edit: oops, my mistake. Carry on.

> _Have some god damn ethics_

Personal attacks are not allowed on HN. We ban accounts that do this, so
please don't do it.

We detached this subthread from
[https://news.ycombinator.com/item?id=13750650](https://news.ycombinator.com/item?id=13750650)
and marked it off-topic.

~~~
riffic
This was not intended to be read as a personal attack, sorry about that.

My intention was a (perhaps poorly worded) call on those in the industry to
have a sense of ethics, and not meant to single any person in particular.

~~~
dang
Sorry for misreading you! I've put your comment back and detached this bit
instead.

