Security implications of client TLS termination

Question

I have a bunch of HTTP services/devices TLS unaware. I want to allow them to access WAN, but of course I do not want them to do it in plain HTTP.

Updating them is unworkable due to legacy issues and hardware requirements for a proper TLS implementation.

The only point where I can force force encryption is the WAN <-> LAN gateway using a TLS proxy with some help from the firewall.

What are the security risks of this solution?

Looks like a simple _reverse proxy_ could solve your problem, does not it? Terminates TLS and "directs" (forwards/proxies) traffic to the appropriate application. — rugk, May 23 '19 at 20:32

score 2 · Answer 1 · answered May 23 '19 at 00:39

2

Put simply, the risk is that you won't have TLS between your TLS proxy and the end webserver.

This sort of design is fairly common: plenty of services terminate TLS connections at a load balancer and run plain HTTP from there to the webserver. If you segment your network appropriately you can mitigate the risk posed by having the remainder of this link unencrypted.

Also see this answer.

answered May 23 '19 at 00:39

markeldo

129
4

I'm aware of TLS termination on servers, but what about client HTTP applications? – user3368561 May 23 '19 at 11:37

Security implications of client TLS termination

1 Answers1