Secure Socket Layer (SSL) inspection is essential to addressing the risks posed by Hypertext Transfer Protocol Secure (HTTPS). For example, a phishing email can use HTTPS to contact its command and control server and download malware onto a user's machine. To defend against these types of attacks that hide in encryption, many organizations use SSL inspection products to scan data packets encrypted over a HTTPS session for malicious content.
Unfortunately, many products fail to properly perform SSL inspection.
According to a report published by researchers at Mozilla, CloudFlare, and Google, 11 out of 12 middleboxes that analyze TLS connections actually weakened security. One cause of these products' inadequate performance was improper certificate validation. Will Dormann of CERT explains how failure to verify certificates jeopardizes security:
"….The client can verify only that it is communicating with the SSL-inspecting software. The client is unaware of what technique the SSL-inspecting software is using for validating SSL certificates. And perhaps more importantly, whether there are additional points between the SSL-inspecting software and the target system is impossible for the client to determine. Is there an attacker between the SSL-inspecting software and the target server? The client has no way of knowing. Because of this lack of transparency, the client must assume that the SSL inspecting software is doing everything perfectly. Unfortunately, SSL-inspecting software does not do everything perfectly."
Dormann analyzed dozens of software products that perform SSL inspection. He found many of the applications committed seven mistakes that weakened connection security. These results in part motivated US-CERT to publish an alert entitled "HTTPS Interception Weakens TLS Security" that details the dangers of SSL inspection.
Not everyone is pleased by this advisory. Some feel it overlooks the benefits of SSL inspection. David Holmes, world-wide security evangelist at F5 Networks, is one of those individuals.
"The situation is a little more nuanced that they are suggesting," explains Holmes. "The way the headline is written makes it sound like SSL interception is a bad thing. In reality, what the researchers are saying is that WHEN DONE POORLY it's a bad thing."
Kevin Bocek, vice president of security strategy at Venafi, takes it one step further. He feels that recent discussions about the potential vulnerabilities connected with looking inside of encrypted SSL/TLS traffic ignore the critically important role of SSL inspection. He explains,
"SSL/TLS inspection is just not about employee use of the Internet. It’s also about threats from web applications that seek to hide, move, and expand across networks.”
Bocek goes on to recommend, “Organizations need SSL inspection to examine application, cross-network, cross-cloud, cross data center and IoT communications. Failing to inspect these communications makes the security technology that businesses rely on to protect them from cyber attacks far less effective. SSL inspection is the only way to protect against threats hiding in incoming and cross-network encrypted traffic.”
Examining encrypted traffic is critical to improving security. Organizations should research products that perform SSL inspection and deploy it properly to ensure secure TLS connections. To maximize performance and security, they should also invest in a solution that integrates with key and certificate management to automate SSL/TLS decryption.
Does your SSL/TLS Inspection solution have easy access to necessary keys and certificates?