Spying on HTTPS

When I launched Chrome on Thursday, I saw something unexpected:

While most users probably would have no idea what to make of this, I happened to know what it means– Chrome is warning me that the system configuration has instructed it to leak the secret keys it uses to encrypt and decrypt HTTPS traffic to a stream on the local computer.

Looking at the Chrome source code, this warning was newly added last week. More surprising was that I couldn’t find the SSLKeyLogFile setting anywhere on my system. Opening a new console showed that it wasn’t set:

C:\WINDOWS\system32>set sslkeylogfile
Environment variable sslkeylogfile not defined

…and opening the System Properties > Advanced > Environment Variables UI showed that it wasn’t set for either my user account or the system at large. Weird.

Fortunately, I understood from past investigations that a process can have different environment variables than the rest of the system, and Process Explorer can show the environment variables inside a running process. Opening Chrome.exe, we see that it indeed has an SSLKEYLOGFILE set:

The unusual syntax with the leading \\.\ means that this isn’t a typical local file path but instead a named pipe, which means that it doesn’t point to a file on disk (e.g. C:\temp\sslkeys.txt) but instead to memory that another process can see.

My machine was in this state because earlier that morning, I’d installed Avast Antivirus to attempt to reproduce a bug a Chrome user encountered. Avast is injecting the SSLKEYLOGFILE setting so that it can conduct a monster-in-the-browser attack (MITB) and see the encrypted traffic going into Chrome.

Update: In February 2024, Avast was assessed a $16.5M fine by the FTC over their handling of data gathered via this technique.

Makers of antivirus products know that browsers are one of the primary vectors by which attackers compromise PCs, and as a consequence their security products often conduct MITB attacks in order to scan web content. Antivirus developers have two common techniques to scan content running in the browser:

Code injection
Network interception

Code Injection

The code injection technique relies upon injecting security code into the browser process. The problem with this approach is that native code injections are inherently fragile– any update to the browser might move its functions and data structures around such that the security code will fail and crash the process. Browsers discourage native code injection, and the bug I was looking at was related to a new feature, RendererCodeIntegrity, that directs the Windows kernel to block loading of any code not signed by Microsoft or Google into the browser’s renderer processes.

An alternative code-injection approach relies upon using a browser extension that operates within the APIs exposed by the browser– this approach is more stable, but can address fewer threats.

Even well-written code injections that don’t cause stability problems can cause significant performance regressions for browsers– when I last looked at the state of the industry, performance costs for top AV products ranged from 20% to 400% in browser scenarios.

Network Interception

The Network interception technique relies upon scanning the HTTP and HTTPS traffic that goes into the browser process. Scanning HTTP traffic is straightforward (a simple proxy server can do it), but scanning HTTPS traffic is harder because the whole point of HTTPS is to make it impossible for a network intermediary to view or modify the plaintext network traffic.

Historically, the most common mechanism for security-scanning HTTPS traffic was to use a monster-in-the-middle (MITM) proxy server running on the local computer. The MITM would instruct Windows to trust a self-signed root certificate, and it would automatically generate new interception certificates for every secure site you visit. I spent over a decade working on such a MITM proxy server, the Fiddler Web Debugger.

There are many problems with using a MITM proxy, however. The primary problem is that it’s very very hard to ensure that it behaves exactly as the browser does and that it does not introduce security vulnerabilities. For instance, if the MITM’s certificate verification logic has bugs, then it might accept a bogus certificate from a spoof server and the user would not be warned– Avast used to use a MITM proxy and had exactly this bug; they were not alone. Similarly, the MITM might not support the most secure versions of protocols supported by the browser and server (e.g. TLS/1.3) and thus using the MITM would degrade security. Some protocol features (e.g. Client Certificates) are incompatible with MITM proxies. And lastly, some security features (specifically certificate pinning) are fundamentally incompatible with MITM certificates and are disabled when MITM certificates are used.

Given the shortcomings of using a MITM proxy, it appears that Avast has moved on to a newer technique, using the SSLKeyLogFile to leak the secret keys HTTPS negotiates on each connection to encrypt the traffic. Firefox and Chromium support this feature, and it enables decryption of TLS traffic without using the MITM certificate generation technique. While browser vendors are wary of any sort of interception of HTTPS traffic, this approach is generally preferable to MITM proxies.

There’s some worry that Chrome’s new notification bar might drive security vendors back to using more dangerous techniques, so this notification might not make its way into the stable release of Chrome.

When it comes to browser architecture, tradeoffs abound.

-Eric

PS: I’m told that Avast may be monetizing the data they’re decrypting.
Update: In February 2024, Avast was assessed a $16.5M fine by the FTC over their handling of data gathered via this technique.

Appendix: Peeking at the Keys

If we point the SSLKeyLog setting at a regular file instead of a named pipe:

chrome --ssl-key-log-file=C:\temp\sslkeys.txt

…we can examine the file’s contents as we browse to reveal the encryption keys:

This file alone isn’t very readable for a human (even if you read Mozilla’s helpful file format documentation), but you can configure tools like Wireshark to make use of it and automatically decrypt captured TLS traffic back to plaintext.

9 thoughts on “Spying on HTTPS”

Andy says:

2019-08-12 at 05:27

Is monster-in-the-middle a replacement term for man-in-the-middle or different somehow?

1. ericlaw says:
  
  2019-08-12 at 10:15
  
  It’s the same thing, recognizing that the MITM is neither male, nor human at all.
  
  Some have protested that “monster” has negative connotations, but anyone who grew up with Sesame Street or modern Disney movies knows that’s an unfair stereotype. And Monster is more fun. You like fun, don’t you? Don’t you?!?
  
  1. Roger Hågensen says:
    
    2019-08-15 at 06:48
    
    I truly hope this term catches on over the old one. I can only imagine the stock art “security” articles will use.
prasanth says:

2019-08-12 at 11:16

i always had this doubt, what all information is disclosed in https traffic. url? target server ip address? ssl version? host ip address?

1. ericlaw says:
  
  2019-08-12 at 11:24
  
  I wrote about that topic here: https://textslashplain.com/2018/02/14/understanding-the-limitations-of-https/
  
  The tldr is that a network-based attacker can not see HTTPS URLs, but typically can see the target server’s hostname, client/server IP addresses, and the TLS version.
  
  1. Roger Hågensen says:
    
    2019-08-15 at 07:01
    
    DNS over HTTPS (DoH) and DNS over TLS (DoT) should get just more widespread/supported over time which should solve the leaked domain name info problem.
    
    You’d still need to address the IP though. I can’t recall if IPv6 has any improvements that can make end to end encryption connections more unreadable from the outside.
    
    I guess you could always do tunnels, from one proxy to another. If you trust those two proxies then any MITM eavesdroppers will see nothing (just a encrypted stream between the two proxies), no domains or ips etc.
steffenbauch says:

2019-08-13 at 14:25

Thank you for the nice article. What is your source for “performance costs for top AV products ranged from 20% to 400% in browser scenarios”?

1. ericlaw says:
  
  2019-08-13 at 14:49
  
  Browser teams run performance labs that measure this sort of thing.
  
2. Roger Hågensen says:
  
  2019-08-15 at 07:12
  
  You can verify this by looking at https://www.av-test.org/en/antivirus/home-windows/
  
  I’d like to point out that Windows Defender got a “perfect score” on Protection, Performance, Usability. Sharing the 1st place with kaspersky and f-secure’s offerings.
  
  Myself I’ve always found the “out-of-the-box AV” in Windows to be a good background software.
  
  A few times it may lockup a newly downloaded file while checking so I’ll have to wait unzipping or moving it but this is expected (but I always forget it), in the past it would on rare occasion do a lot of disk access and use quite a bit of one CPU thread, but I can’t recall that being a issue for months now (or possibly years now).
  
  Most of the time I simply forget it’s there, no nagging or annoying boxes or anything. The OOB (Out Of Box) experience is stellar in this case. It’s been a decade since I’ve used any other AV now. I can understand wanting to use other AV if you have special needs and they have the features you want though.
  
  I wonder how the browser integration is with Windows Defender? Does it just end with a file lock being handed over from the browser to the AV or is there more integration possible?