perspective Secure Sockets Layer (SSL) was designed to maintain the integrity of transmissions through encryption, authentication and message authentication codes.
The protocol’s ability to maintain the integrity of information and to establish a secure pipeline between two endpoints was a contributing factor in the rapid adoption of e-commerce.
Besides Internet shopping, the uptake in B2B e-commerce, rising adoption of e-government applications and increased use of content-driven Web applications like Hotmail or Gmail also contribute to rising popularity of SSL.
Are "secure" connections safe?
As SSL is designed to enable "secure corridors" some companies may not be aware of the dangers of encrypted content, assuming that it is safe.
Traditional firewalls and gateway antivirus solutions are unable to scan encrypted traffic. The fact is that any malware is just as contagious via HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) as it is via HTTP. What's worse, malware transported via HTTPS is far less likely to be caught.
Administrators also have to contend with the threat from within their enterprises as employees can communicate and transmit data to external parties via HTTPS.
Malware can hide in encrypted traffic
Viruses can be encrypted and sent undetected via SSL. Therefore, SSL connections cannot guarantee security despite the good intentions for which they were designed and developed.
Even if both ends of the SSL connection are designed to protect the integrity of the content, there is no guarantee that the content is safe since data such as viruses and worms can be exchanged unknowingly.
Hackers attack last network security hole
HTTPS poses a serious vulnerability when malicious third-parties are able to tunnel through your network defenses.
Hackers know that traffic that goes through HTTPS tunnels under the cloak of encryption is wide open and unprotected. They can therefore exploit this last known major network security hole. It is not surprising that given the choice between port 80 (HTTP) and port 443 (HTTPS), the attacker will choose 443 to attack.
Trustworthiness of trusted certificates
Certificates are another well-intentioned aspect of SSL that carry their own liabilities. Internet Explorer comes equipped with over 100 pre-installed and "pre-trusted" certificate authorities that Microsoft deemed "trustworthy".
In addition, employees who encounter new certificates can add them to their trusted lists. This practice may pose a danger as the employee may lack the knowledge to apply proper diligence to this important decision.
The danger extends beyond the unknowing employee. For example, virus, Trojan, worm or malicious e-mail can add a malicious SSL certificate to the victim's user’s list of trusted root Certificate Authorities (CAs).
Certificates can be stolen as well. Estimates based on Secure Computing's own research suggest that 5 percent to 10 percent of all certificates are invalid.
Vulnerabilities of HTTPS
Several characteristics of HTTPS make it a soft target for hackers, malicious and unwitting employees. HTTPS tunnels represent a major network security threat because:
- Virus scanning and content filtering cannot be applied to encrypted content
- Outbound content filters to control dissemination of intellectual property or confidential protected information cannot be applied to SSL encrypted content
- Web server certificates can be stolen, bogus, expired or revoked (although they are regularly updated, certificate revocation lists are rarely checked by users)
- Popular browsers are notoriously vulnerable to certificate insertion attacks that allow malicious third-parties to establish trusted connections through corporate networks
- Access logs do not report "user agent" or "referrer" fields for HTTPS requests, making monitoring, audits and policy enforcement nearly impossible
- An array of tunneling methods, services and tools are easily within the average employee's reach and are already common in several forms in most enterprises (Bouncer, Guardster, CryptoTunnel, Web Mail, etc.)
- Employees are allowed to decide when a certificate can be trusted, but often lack the requisite knowledge to apply appropriate diligence to this decision
- Legitimate certificates can easily be acquired by criminals and may be enough to make Web users feel information they provide is secure when it actually is not
Meeting the challenge
While a solution has been elusive due to the challenges of scanning HTTPS for unwanted contents, the situation is not entirely hopeless.
One approach is to temporarily decrypt the SSL contents, filter the contents with normal content filters and the contents are then re-encrypted before they are delivered through the SSL tunnel. The following is a sample of protection options that companies can consider to monitor and control threats via SSL.
- Gateway antivirus and antispyware scanning
Scanning at the gateway is important because it stops viruses and malicious mobile code before it travels through the network. However, encrypted content has been impossible to scan at the gateway. By decrypting HTTPS content at the gateway and scanning for viruses, companies can rely on the same level of protection for HTTPS that is available for HTTP, FTP, and e-mail.
- Outbound content control (OCC)
Several IT security products offer outbound content control products but they are ineffective for encrypted content. By first decrypting HTTPS file transfers, enterprises can better manage and control the various SSL channels where previously contents can pass through freely in and out of the network.
- Certificate management
Most enterprises closely scrutinize companies they choose to partner or do business with offline but procedural weaknesses in the SSL certificate exchange process make this more difficult to scrutinize trading partners when transacting online. Centralizing certificate policy at the gateway removes the burden of this decision from employees and allows administrators to enforce a consistent policy.
- Flexible policy enforcement
All SSL encrypted traffic should in general be inspected. Most enterprises will want to deploy flexible policies on exactly what traffic to what site is decrypted or for which category of users. For example, executive level management may be completely exempt from SSL scanning while for the general user, SSL scanning may be deactivated for certain trusted banks or trusted categories of Web sites.
Benjamin Low is managing director for Asia South at Secure Computing. He is based in Singapore.