How SSL encryption gives a false sense of security
- 03 March, 2015 14:37
Major web browsers and many web sites rely on the Secure Sockets Layer (SSL) protocol, which encrypts confidential information, such as credit card numbers, before sending them securely over the internet. SSL encryption ensures that email, e-commerce, voice-over-IP, online banking, remote health and countless other services are kept secure.
But high profile SSL vulnerabilities, including Heartbleed and Padding Oracle On Downgraded Legacy Encryption (Poodle), have exposed weaknesses in the technology.
With the Heartbleed security flaw, cybercriminals can trick a host server into sending them sensitive information, including even the private encryption keys used to encrypt and decrypt information. Armed with these keys, hackers are able to access encrypted communications freely or impersonate the affected server – all without leaving any trace.
Bots in SSL clothing
The hackers and cyber-criminals are able to encrypt and leak confidential data and files using SSL connections. They have succeeded in hiding threats, such as the Zeus botnet, in SSL sessions that were once considered safe. Increasingly they are using SSL sessions to dodge network security defences.
Concerns are growing, as an expanding portion of enterprise network traffic is encrypted within SSL. An independent study by NSS Labs estimates that 25 to 35 per cent of enterprise traffic is SLL encrypted and growing. In some verticals, that number is higher.
Additionally, Gartner believes that by 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls - up from less than 5 per cent today.
Another reason for concerns over SSL encryption is that many security and performance monitoring tools today lack the ability to see inside encrypted sessions. Although inline devices such as application delivery controllers and firewalls support SSL inspection, out-of-band monitoring and security tools often cannot access encrypted traffic to monitor network usage patterns and analyse security and application performance.
Because SSL traffic flies under the radar, malware can exploit SSL sessions to hide its activity and thus turn unmonitored SSL traffic into a threat vector. Even for performance management tools and many out-of-band security tools that do decrypt SSL, users have reported significant decline in performance.
Security administrators are using larger ciphers for increased security. A study by NSS Labs noted a performance degradation of 81 per cent in existing SSL architectures.
Many inline tools, such as SSL proxies and application load balancers, lack the scalability to handle the traffic volume from multiple TAPs across the network or to filter and replicate decrypted traffic to multiple monitoring tools. These tools also lack visibility functionality or traffic intelligence for non-encrypted traffic.
SSL decryption offload
For these reasons, new hardware is essential that will provide visibility into SSL sessions and decrypt them at high performance to detect threats or performance issues.
To achieve this, certain vendors’ technology can offload SSL decryption to a visibility fabric platform, where a modular high performance traffic intelligence engine decrypts SSL traffic and forwards it to tools for analysis. Traffic intelligence modules can be added to a node or to a cluster in the visibility fabric to increase SSL decryption throughput as SSL processing needs increase.
This eliminates the need to have multiple decryption licenses for multiple tools and also delivers decrypted traffic to security and application performance tools as well as to any tool port in the cluster.
To prevent loss of sensitive information, decrypted traffic can be sliced to remove irrelevant or private payload data and fields within the payload can be masked. Private keys are encrypted using a special password that is distinct from the generic system admin password.
By delivering SSL decryption as a common service to security and performance management tools, the tools can return to full performance. Further, because SSL is at the heart of today's enterprise infrastructure, endpoints and DMZ servers are potentially exposed to attacks without the right level of traffic visibility.
However, a traffic intelligence application that provides visibility into SSL sessions, will give administrators deeper insights into infrastructure blind spots, to guard end points and servers.