HTTPS and SSL is a Two Edged Sword

Posted on December 2, 2016


We all know that HTTPS and SSL stand for security and encryption.  When we connect to our bank or favorite ne retailer we know we can upload our credit card information or account number with confidence, knowing that our data is being shielded from prying eyes.  But that shield cuts both ways as cyber criminals want to hide their traffic from view as well.

Just as data transmitted over HTTPS/SSL is elusive to sinister eyes nearby, cyber criminals can hide their malicious code into web streams that can elusively evade traditional firewalls which are blind to the content of these encrypted sessions.  An example might be malware that is being transmitted within an HTTPS response to a request by an unsuspecting user on a network device.  It seems that HTTPS/SSL can cut both ways indeed.

If you think this is farfetched, think again. According to Gartner, less than 20% of organizations today utilize firewalls, IDS/IPS or UTM devices that are capable of decrypting SSL traffic.  In other words, malware and who knows what else is being transmitted to or from these organizations totally uninhibited an unrecognized.  Because HTTPS hides enclosed traffic from view, it is growing in popularity as a means of transmitting malicious code.  In fact, it is so popular in that Garter estimates that by 2017, over 50% of network attacks will use SSL to bypass the typical security that protects your typical targeted enterprise.  For IT security professionals, this is a real problem.

It’s not just incoming traffic however.  Outgoing traffic can be just as damaging to an organization as well.  An established network breach in which a rootkit or backdoor is uploading sensitive data to an external controller, totally oblivious to traditional perimeter security, can be detrimental.  Organizations face the ominous risk of data leakage as well as proprietary and intellectual property at the hands of internal employees who can be upload their captured loot over HTTPS websites.  Personal and financial records could be uploaded as well under the clothe of SSL encryption.  Not enough organizations think about filtering or blocking outgoing HTTPS/SSL traffic and even those who do may not be able to block these unauthorized sessions due to the limitations in their security hardware. 

Another sad fact today is that the cyber criminals are now figuring out how to exploit legitimate certificate domains through a technique referred to as domain shadowing in which an attacker creates a subdomain under a legitimate domain which then leads to a server controlled by the attacker himself.  Other cases have been found in which users had installed compromised certificates which means that a certificate doesn’t guarantee safety.

Now compound this dilemma with the fact that more and more organizations are using SSL traffic by default for their web traffic.  This makes even more encrypted sessions and is a clear example that more of a good thing isn’t necessarily better.  This explosive growth in SSL traffic brings a dilemma to the forefront concerning which traffic should be decrypted if an enterprise has that capability?  It also eliminates the possibility of simply blocking SSL traffic for your users as it would immediately result in the helpdesk phones lighting up with angry users.

In order to protect your organization from nefarious exploits cloaked under the secrecy of SSL, you need a web filter or web gateway that has the capability to intercept and decrypt SSL traffic. The idea behind this is relatively simple in theory.  The web filter creates a secure connection between the client browser and the filter and then and decrypts the outing SSL traffic into plain text upon which the traffic is analyzed.  Once reviewed, the traffic is re-encrypted and another secure connection is created between the Web filter and the Web server. This means that the Web filter is effectively acting like an SSL proxy server and so can both intercept the SSL connection and inspect the content.  Now compound that with the ability to check the SSL certificate of a website in question.  Although secure web browsers perform this task as well, the list of Certificate Authorities and Certificate Revocation Lists are usually more up to date. In addition, a web filter will block access to an invalid certificate at the gateway while a browser allows the connection to the site itself before dropping it.

The fact is, SSL traffic is a two edge sword.  It can both protect you and harm you, but with the right security tools, you can limit the downside of this popular and powerful protocol.


Posted in: IT Security