Editing Deep packet inspection (section)

==Encryption and tunneling subverting DPI and its countermeasure MitM==
[[File:SSL Deep Inspection Explanation.svg|alt=|thumb|700x700px|SSL/TLS Deep Inspection]]
{{Expand section|date=January 2017}}
With increased use of HTTPS and privacy tunneling using VPNs, the effectiveness of DPI is coming into question.<ref>Sherry Justine, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy, [http://dl.acm.org/citation.cfm?id=2787502 Blindbox: Deep packet inspection over encrypted traffic], ACM SIGCOMM Computer Communication Review, 2015</ref> In response, many [[web application firewall]]s now offer ''HTTPS inspection'', where they decrypt HTTPS traffic to analyse it.<ref name="checkpoint">{{Cite web|url=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202|title=Best Practices - HTTPS Inspection|date=2017-07-21|website=Check Point Support Center|quote=With HTTPS Inspection, the Security Gateway can inspect the traffic that is encrypted by HTTPS. The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in a log.}}</ref> The [[Web application firewall|WAF]] can either terminate the encryption, so the connection between WAF and client browser uses plain HTTP, or re-encrypt the data using its own HTTPS certificate, which must be distributed to clients beforehand.<ref name="imperva">{{Cite web|url=https://www.imperva.com/Products/WebApplicationFirewall-WAF|title=SecureSphere WAF Specifications|archive-url=https://web.archive.org/web/20161116153216/https://www.imperva.com/Products/WebApplicationFirewall-WAF|archive-date=2016-11-16}}</ref> The techniques used in HTTPS/SSL Inspection (also known as HTTPS/SSL Interception) are the same used by [[Man-in-the-middle attack|man-in-the-middle (MiTM) attacks]].<ref>{{cite web|title= HTTPS Interception Weakens TLS Security|url =https://www.cisa.gov/news-events/alerts/2017/03/16/https-interception-weakens-tls-security |website = Cyber Security and Infrastructure Security Agency }}</ref>

It works like this:<ref>{{cite web |last1=García Peláez |first1=Pedro |title=WO2005060202 - METHOD AND SYSTEM FOR ANALYSING AND FILTERING HTTPS TRAFFIC IN CORPORATE NETWORKS (11-12-2003) |url=https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2005060202 |website=World Intellectual Property Organization (WIPO)}}</ref>

#Client wants to connect to <nowiki>https://www.targetwebsite.com</nowiki>
#Traffic goes through a firewall or security product
#Firewall works as [[transparent proxy]]
#Firewall creates an [[Public key certificate|SSL certificate]] signed by its own "CompanyFirewall [[Certificate authority|CA]]"
#Firewall presents this "CompanyFirewall [[Certificate authority|CA]]" signed certificate to the client (not the targetwebsite.com certificate)
#At the same time the firewall connects to <nowiki>https://www.targetwebsite.com</nowiki> on its own
#www.targetwebsite.com presents its officially signed certificate (signed by a trusted [[Certificate authority|CA]])
#Firewall checks the [[Public key certificate#Types of certificate|certificate trust chain]] on its own
#Firewall now works as [[Man-in-the-middle attack|man-in-the-middle]].
#Traffic from client can be decrypted (with Key Exchange Information from client), analysed (for harmful traffic, policy violation or viruses), encrypted (with Key Exchange Information from targetwebsite.com) and sent to targetwebsite.com
#Traffic from targetwebsite.com can also be decrypted (with Key Exchange Information from targetwebsite.com), analysed, encrypted (with Key Exchange Information from client) and sent to client.
#The firewall can read all the information exchanged between SSL-Client and SSL-Server (targetwebsite.com)

This can be done with any TLS-Terminated connection (not only HTTPS) as long as the firewall product can modify the TrustStore of the SSL-Client.
{{See also|Kazakhstan man-in-the-middle attack}}