Skip to content

Encryption Validation (NET-ENCRYPT)

Validate that TLS inspection, certificate pinning, and SNI matching are enforced to prevent evasion.

Objectives

  • Enforce certificate pinning to prevent MitM attacks.
  • Prevent Domain Fronting via SNI/Host mismatch checks.
  • Block ECH (Encrypted Client Hello) to ensure visibility.

Controls Under Test

  • Certificate pinning configuration.
  • SNI/Host header validation.
  • ECH blocking/downgrade.

Test Scenarios

IDThreat / ScenarioUniversal ProcedureExpected Outcome & Audit
NET-ENCRYPT-01Certificate PinningMitM Attack / Invalid Certs.
Intercept traffic with a different CA than the pinned root bundle.
Pass: SSL certificate error (curl: (60)) or connection dropped.
NET-ENCRYPT-02Domain FrontingBypassing allowlist via SNI/Host mismatch.
Initiate request with mismatched SNI and HTTP Host header.
Pass: Denied.
Audit: reason: sniMismatch.
NET-ENCRYPT-03Weak Cipher NegotiationBypassing inspection by forcing weak ciphers.
Client offers only deprecated ciphers (e.g., RC4, 3DES) during TLS handshake.
Pass: Handshake failure; Proxy rejects weak ciphers.
Audit: reason: handshakeFailure or weakCipher
NET-ENCRYPT-04ECH EvasionEncrypted Client Hello blinding the proxy.
Enable ECH and connect to a Cloudflare-fronted site.
Pass: Blocked or downgraded.
Audit: reason: echDetected or sniMissing

Evidence Requirements

  • Audit category: network
  • Required fields: reason, sni, integrity.hash