TLS Proxies: Friend or Foe?

Abstract: The use of TLS proxies to intercept encrypted traffic is controversial since the same mechanism can be used for both benevolent purposes, such as protecting against malware, and for malicious purposes, such as identity theft or warrantless government surveillance. To understand the prevalence and uses of these proxies, we build a TLS proxy measurement tool and deploy it via Google AdWords campaigns. We generate 15.2 million certificate tests across two large-scale measurement studies. We find that 1 in 250 TLS connections are TLS-proxied. The majority of these proxies appear to be benevolent, however we identify over 3,600 cases where eight malware products are using this technology nefariously. We also find numerous instances of negligent, duplicitous, and suspicious behavior, some of which degrade security for users without their knowledge. Distinguishing these types of practices is challenging in practice, indicating a need for transparency and user awareness.