How SSL encryption gives a false sense of security

Author: Ananda Rajagopal, Vice President of Product Management at Gigamon

Major web browsers and many web sites rely on the Secure Sockets Layer (SSL) protocol, which encrypts confidential information, such as credit card numbers, before sending them securely over the internet. SSL encryption ensures that email, e-commerce, voice-over-IP, online banking, remote health and countless other services are kept secure.

But high profile SSL vulnerabilities, including Heartbleed and Padding Oracle On Downgraded Legacy Encryption (Poodle), have exposed weaknesses in the technology.

With the Heartbleed security flaw, cybercriminals can trick a host server into sending them sensitive information, including even the private encryption keys used to encrypt and decrypt information. Armed with these keys, hackers are able to access encrypted communications freely or impersonate the affected server – all without leaving any trace.

Bots in SSL clothing

The hackers and cyber-criminals are able to encrypt and leak confidential data and files using SSL connections. They have succeeded in hiding threats, such as the Zeus botnet, in SSL sessions that were once considered safe. Increasingly they are using SSL sessions to dodge network security defences.

Concerns are growing, as an expanding portion of enterprise network traffic is encrypted within SSL. An independent study by NSS Labs estimates that 25 to 35 per cent of enterprise traffic is SLL encrypted and growing. In some verticals, that number is higher.

Additionally, Gartner believes that by 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls - up from less than 5 per cent today.

Unsafe sessions

Another reason for concerns over SSL encryption is that many security and performance monitoring tools today lack the ability to see inside encrypted sessions. Although inline devices such as application delivery controllers and firewalls support SSL inspection, out-of-band monitoring and security tools often cannot access encrypted traffic to monitor network usage patterns and analyse security and application performance.

Read more: Apple adds two-step verification to iMessage and FaceTime

Because SSL traffic flies under the radar, malware can exploit SSL sessions to hide its activity and thus turn unmonitored SSL traffic into a threat vector. Even for performance management tools and many out-of-band security tools that do decrypt SSL, users have reported significant decline in performance.

Security administrators are using larger ciphers for increased security. A study by NSS Labs noted a performance degradation of 81 per cent in existing SSL architectures.

Many inline tools, such as SSL proxies and application load balancers, lack the scalability to handle the traffic volume from multiple TAPs across the network or to filter and replicate decrypted traffic to multiple monitoring tools. These tools also lack visibility functionality or traffic intelligence for non-encrypted traffic.

SSL decryption offload

For these reasons, new hardware is essential that will provide visibility into SSL sessions and decrypt them at high performance to detect threats or performance issues.

To achieve this, certain vendors’ technology can offload SSL decryption to a visibility fabric platform, where a modular high performance traffic intelligence engine decrypts SSL traffic and forwards it to tools for analysis. Traffic intelligence modules can be added to a node or to a cluster in the visibility fabric to increase SSL decryption throughput as SSL processing needs increase.

This eliminates the need to have multiple decryption licenses for multiple tools and also delivers decrypted traffic to security and application performance tools as well as to any tool port in the cluster.

To prevent loss of sensitive information, decrypted traffic can be sliced to remove irrelevant or private payload data and fields within the payload can be masked. Private keys are encrypted using a special password that is distinct from the generic system admin password.

By delivering SSL decryption as a common service to security and performance management tools, the tools can return to full performance. Further, because SSL is at the heart of today's enterprise infrastructure, endpoints and DMZ servers are potentially exposed to attacks without the right level of traffic visibility.

However, a traffic intelligence application that provides visibility into SSL sessions, will give administrators deeper insights into infrastructure blind spots, to guard end points and servers.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersPadding OraclePOODLE attacke-commerceSecure Sockets Layer (SSL)credit card securitycyber-criminalsCSO AustraliaSSL encryptionSSL vulnerabilitiesweb browsersPOODLEHeartbleedfalse security

More about GartnerOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ananda Rajagopal

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts