The Unintended Consequences Of Strong Encryption
This article originally appeared in Forbes.
Secure sockets layer (SSL) is an industry-standard method for secure communications on the internet. SSL—along with its successor, transport layer security (TLS)—is the commonly accepted standard for securing data in transit. SSL protects data using cryptographic techniques that leverage public and private keys for encryption and decryption. The SSL cryptographic model uses certificates to validate the authenticity of communicating entities.
Websites use SSL to ensure secure connections between a user’s web browser and the web server. Hypertext transfer protocol (HTTP) is the ubiquitous text protocol of the internet. An SSL-secured website URL begins with "https" (note the “s”) and, depending on the browser, typically has a “lock” icon next to it in the address bar. HTTPS leverages SSL/TLS for authentication and encryption to secure HTTP. This is vital because the information that you send on the internet is passed along from one device to another before it reaches its intended destination. Unsecured HTTP transmits clear text and is not safe for sensitive information such as credit card numbers, usernames and passwords, which may be seen by intermediate devices. When the information is encrypted and protected by SSL/TLS and transmitted by HTTPS, only the intended recipient can decrypt and consume the information.
Originally developed in 1994, the SSL protocol has evolved to become even more secure. Initially, SSL was intended primarily to secure banking and e-commerce transactions. With the rise of data-privacy concerns, more websites now enable SSL by default. According to the most recent Google Transparency Report, 93% of the Google Chrome-loaded pages were encrypted using HTTPS as of April 6. The same report notes that 96 of the top 100 internet sites use HTTPS encryption (and account for 25% of all traffic). This is great news for privacy, but it has created new challenges for enterprise security.
Encryption for all...even the bad guys
For years, the “lock” image next to a website’s URL address provided an assurance of safety. Not anymore: Cybercriminals encrypt, too, and an HTTPS URL can hide difficult-to-detect malware. For enterprise security professionals, decrypting, inspecting and re-encrypting SSL traffic is nontrivial. With traditional hardware-based security, a full inspection can slow data transit. And it’s difficult for those legacy systems to scale to accommodate that inspection without a dramatic performance degradation. Bad actors know this and use SSL to their advantage, serving encrypted malicious content, hiding malware and launching attacks beyond most organizations’ scope of detection.
Bad actors exploit SSL security in a number of ways:
• Hiding dangerous viruses, spyware and other malware.
• Building payload-delivering websites that use SSL encryption.
• Injecting malicious content into well-known and trusted SSL-enabled sites.
• Hiding data leakage, such as the transmission of sensitive financial documents from an organization to an external destination.
• Anonymizing browsing, preventing corporate policy oversight.
SSL interception and analysis: computationally intensive but necessary
More and more websites are switching to HTTPS delivery, making the ability to inspect and control traffic to and from those sites essential to an organization’s security posture. Enforcing that security posture requires SSL interception.
Combatting encrypted malware starts with SSL interception, followed by inspection, assessment and action to ensure nothing bad comes in and no confidential information leaks out. SSL inspection is computationally intensive. It typically requires a proxy server that can terminate the client connection, decrypt the content, analyze it for security issues or policy violations, re-encrypt it and then send it to the server. The process isn’t getting easier: As cryptographic standards evolve, increases in SSL/TLS protocol algorithm and cipher complexity only make the inspection more onerous, which can further impact the user experience. To alleviate performance degradation pain, some IT organizations “bypass” popular sites or, even worse, disable SSL inspection entirely.
SSL inspection: what IT leaders need to know now
Many vendors offer SSL inspection. Enterprise IT leaders considering SSL capabilities and performance would do well to keep the following in mind:
- Scalability: Can the solution scale to inspect higher volumes of SSL encrypted traffic? Commonly, an organization will see 25-50% organic annual growth in internet traffic. Will the system require appliance upgrades in a few years to accommodate?
- Mobile coverage: Does the solution work consistently for employees in the office and outside the office? Will remote workers have to VPN into the corporate network to get SSL inspection, or can the service work with direct local internet access at homes, coffee shops and on the go?
- Privacy controls: Does the solution offer policy-based SSL interception? For example, can the solution waive inspection for specific banking or health care sites but intercept others? Can those controls be enabled by location? Privacy regulations vary by country, and the ability to manage granular SSL interception controls is important for global coverage.
- User experience: SSL inspection should not introduce latency. This is easier said than done, but it's still a mandate: Comprehensive SSL inspection requires a high-performance architecture and elastic capacity given its stringent compute requirements.
- Future-proof: SSL/TLS standards have evolved over the years. Each revision adds security but also complexity (it’s not unusual for a new encryption standard to be 5-10 times more computationally intensive). Will the SSL solution scale to adjust to new standards? Or will it require upgrades?
- Trust: SSL interception requires trusting a “man in the middle” between client and final destination. The SSL interceptor service must itself be secure. How are certificates handled? Can an organization employ its own keys, or must it blindly trust a third party? Has the solution been pen-tested for vulnerabilities? Does it have the highest levels of security compliance (including FIPS and FedRAMP)?
The internet is moving to default SSL/TLS-based encryption, and in most cases, it already has. And so have security threats, which leverage encryption technology to penetrate enterprise defenses. SSL interception is vital for enterprise security, and enterprises must carefully evaluate security stacks to ensure SSL interception capability at scale ... without compromising the user experience or the bottom line.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Amit Sinha is CTO and Executive Vice President of Engineering and Cloud Operations at Zscaler