Whenever a new exploit vector surfaces, security companies scramble to develop new approaches to stop cyber criminals from abusing it. Hmmm. Attacks that leverage encryption aren’t all that new. But internet security solutions still haven’t figured out the best ways to detect them. Granted, inspecting encrypted traffic is difficult because the tools that do SSL inspection don’t have key and certificate intelligence. But even that doesn’t explain why a new study found that many internet security solutions can actually make SSL/TLS connections less secure.
“As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic,” notes the report conducted by researchers from Google, Mozilla, and Cloudflare along with those from four U.S. Universities. This team of researchers tested major middlebox and antivirus products to determine the prevalence and impact of HTTPS interception. And the results were somewhat disheartening.
All but one middlebox solution “weakened connection security and introduced TLS vulnerabilities such as Logjam, weak export and RC4 ciphers, or didn't validate digital certificates properly,” reports iTnews.com.au. Of the 29 antivirus solutions tested, about half would intercept TLS connections. Sadly, only one of these did not reduce TLS connection security.
How do security solutions which attempt to detect and block harmful traffic actually end up reducing connection security? First, to look for malicious or disallowed content, the security solutions must intercept TLS connections before they can decrypt traffic. After their analysis is complete, the security solutions must then re-initiate the TLS connection. This process involves injecting their own certificates into web browsers or devices on an organization’s network.
The new certificates that security solutions inject may not adhere to the same stringent standards that most organization impose on their own certificates. "Many of the vulnerabilities we find in anti-virus products and corporate middleboxes — such as failing to validate certificates and advertising broken ciphers — are negligent and another data point in a worrying trend of security products worsening security rather than improving it," the study concludes.
Given their lackluster performance, it’s fairly apparent that security vendors are still scrambling to catchup with the growth in attacks using SSL/TLS. “This new research shows security vendors are struggling, at best, and in the process they are introducing new vulnerabilities,” notes Kevin Bocek, VP of security strategy at Venafi. But it’s critical that security vendors get it right sooner rather than later. Analysts estimate that between 50-70% of network attacks will use seemingly trusted SSL to infiltrate, expand, and exfiltrate in the very near future.
How did we get into such a pickle? Bocek observes, “Almost all security systems were architected in the days when encrypted SSL/TLS made up small portions of network traffic. At that time SSL/TLS wasn’t being abused by attackers.” They simply were not engineered to inspect encrypted traffic. As a result, many of these solutions suffer from the inability to safely access an enterprise’s keys and certificates to inspect traffic safely. According to Bocek, “This must be a high priority for the entire security industry. Right now, our adversaries continue to win.”
Do you have enough visibility and control over your organization’s keys and certificates to make them safely available for decryption and inspection?