Appearance
Encryption Validation (NET-ENCRYPT)
Validate that TLS inspection, certificate pinning, and SNI matching are enforced to prevent evasion.
Objectives
- Enforce certificate pinning to prevent MitM attacks.
- Prevent Domain Fronting via SNI/Host mismatch checks.
- Block ECH (Encrypted Client Hello) to ensure visibility.
Controls Under Test
- Certificate pinning configuration.
- SNI/Host header validation.
- ECH blocking/downgrade.
Test Scenarios
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| NET-ENCRYPT-01 | Certificate Pinning | MitM Attack / Invalid Certs. Intercept traffic with a different CA than the pinned root bundle. | Pass: SSL certificate error (curl: (60)) or connection dropped. |
| NET-ENCRYPT-02 | Domain Fronting | Bypassing allowlist via SNI/Host mismatch. Initiate request with mismatched SNI and HTTP Host header. | Pass: Denied. Audit: reason: sniMismatch. |
| NET-ENCRYPT-03 | Weak Cipher Negotiation | Bypassing inspection by forcing weak ciphers. Client offers only deprecated ciphers (e.g., RC4, 3DES) during TLS handshake. | Pass: Handshake failure; Proxy rejects weak ciphers. Audit: reason: handshakeFailure or weakCipher |
| NET-ENCRYPT-04 | ECH Evasion | Encrypted Client Hello blinding the proxy. Enable ECH and connect to a Cloudflare-fronted site. | Pass: Blocked or downgraded. Audit: reason: echDetected or sniMissing |
Evidence Requirements
- Audit category:
network - Required fields:
reason,sni,integrity.hash
