Monsters in the Middleboxes: Introducing Two New Tools for Detecting HTTPS Interception

The blog post discusses the practice of HTTPS Interception, which has been scrutinized for weakening security. It introduces two new tools: MITMEngine, an open-source library for detecting HTTPS interception, and MALCOLM, a dashboard displaying metrics about HTTPS interception observed on Cloudflare's network. The post explains various types of HTTPS Interception, including TLS-terminating forward proxies, antivirus software, corporate proxies, malware proxies, leaky proxies, and reverse proxies. It also highlights the reasons for examining HTTPS interception, such as identifying suspicious clients and hindering the adoption of new innovations in TLS. The post introduces MITMEngine, an open-source HTTPS interception detector developed by Cloudflare's Cryptography team, which compares values in observed TLS Client Hello to a set of known browser Client Hellos. It also presents MALCOLM, a dashboard that applies MITMEngine to a sample of Cloudflare's overall traffic and observes HTTPS interception in the requests hitting their network. The post concludes by encouraging readers to explore more HTTPS interception data using these tools and contribute to MITMEngine.