The Implications of Encrypted Web Traffic for Security

When it comes to security, it would seem like encryption is a good thing, right? Encryption is a good tool for protecting the confidentiality of your information, but (as the trend of ransomware has shown us) it has a down side. Secrecy can work for the the good guys and the bad guys both. Securing your network requires being aware of what is going on and what communications take place, and encryption can make that difficult.

Just a few years ago, encryption on the web was used primarily just for logins and for sensitive parts of session, such as payments. However, that began to change in 2010 when Google changed Gmail to use HTTPS by default. That was followed by Facebook and Google search going to HTTPS by default in 2011 (Google completed the switch in 2012), Twitter in 2012, YouTube in 2014, and Wikipedia in 2015. Netflix has announced their intention to move entirely to HTTPS, but currently most of their actual streaming is still un-encrypted. Currently, most networks see more unencrypted traffic than encrypted, but as Netflix (the single largest source of web traffic worldwide) transitions to encryption that is likely to change. Most experts predict that by the end of 2016 the majority of web traffic will be encrypted via SSL/TLS.

Two of the foundational principles of security are visibility and awareness -- you have to know what you are protecting and be able to see what is happening. Encrypted traffic makes this difficult or impossible. One basic, common security technology is intrusion detection or prevention (IDS/IPS), which looks at network traffic for signs of something un-friendly (in some modern firewalls, this capability is built-in). If the traffic is encrypted, an IDS/IPS system is mostly unable to see it or detect anything in it. Data loss prevention (DLP) systems, network anti-malware, and packet logging systems can also be rendered ineffective (or much less effective) due to traffic encryption.

The solution that is used these days more and more frequently is SSL inspection (or HTTPS inspection, or SSL Decryption, depending on the vendor). This is a technique previously more associated with hackers or shady software doing a "man-in-the-middle" on encrypted web traffic. It works by having the firewall or a web proxy complete the HTTPS connection and then proxy, or essentially "echo," the connection to the web server. Instead of one HTTPS session between web browser and web server, you break it into two sessions: one between the browser and the firewall/proxy, and one between the firewall/proxy and the web server. This allows the firewall or proxy to see the un-encrypted traffic and either inspect it itself or pass it on to an IDS/IPS, DLP, or other inspection or logging tool. The session is still encrypted in transit, except on these security systems, though corporate IT administrators may potentially have access to the unencrypted data.

In order for this to work, the man-in-the-middle firewall or proxy uses its own security certificate, rather than the certificate of the actual target web server. This breaks the intended function of the certificate to ensure that the site visited matches the certificate used. It works because the organization configures their computers to trust one "wildcard" certificate, which is used for all sites.

The practice of SSL inspection is a somewhat controversial one. It subverts some of the purposes of secure web traffic by breaking the encryption and by modifying the intended identification assurance function of the site's certificate. More importantly, it defies users' expectations that when their browser tells them a site is secure and they are on a secure connection, nobody can see the information being sent. If you are considering implementing SSL inspection, here are some factors to keep in mind:
  • DEFINITELY work closely with your organizations HR and legal teams. It is vital that your users are adequately informed that their network traffic, even when it may appear to be encrypted, is subject to internal monitoring. Also ensure that exceptions and whitelisted sites/categories are appropriate (see below).

  • Tools that do SSL inspection allow you whitelist sites or categories of sites that should NOT be decrypted. Banking and other finance sites, for example, are often an made an exception so that users' financial information isn't viewable by IT staff. Also, some non-browser applications, such as the Dropbox file sync application, won't work with SSL inspection, so if the use of these is desired they must be granted exceptions.

  • Ensure that strict policy and technical controls are in place to limit who can access any live or stored decrypted data. Separation of duties and accountability are key here, as access to such data is a matter of significant trust.

  • Make sure your hardware is adequate to the task. SSL inspection is processor and memory intensive, and as a greater share of traffic is encrypted it will be a growing burden on firewalls that perform this function. When buying hardware, plan ahead for future growth in both the network bandwidth and the demands of the tasks required of the firewall.

  • Ensure that any monitoring tools are connected appropriately. We have seen situations where an IDS/IPS was connected incorrectly to an SSL decrypting proxy, and the IDS/IPS was receiving encrypted, rather than decrypted, traffic for inspection.

  • Ensure that growers will function properly with this capability. Internet Explorer and Chrome use the certificate trust store built into Windows, and it is relatively easy to use Group Policy to get domain member computers to trust a wildcard certificate used for SSL inspection. Firefox, however, has its own certificate store, and loading a new trusted certificate in Firefox on existing deployed computers can be difficult.

Further Reading:
​http://www.securityweek.com/encrypted-network-traffic-comes-cost
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
http://www.infosecisland.com/blogview/24466-The-Current-State-of-Insecurity-Strategies-for-Inspecting-SSL-Traffic.html
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more