What is SSL Decryption?
The SSL (Secure Sockets Layer) protocol and its modern, more secure replacement TLS (Transport Layer Security), are used to encrypt web traffic. Encrypting data in transit is standard practice, with approximately 90% of web pages now being encrypted. Although this helps prevent data breaches, cyber criminals use these encrypted channels to propagate malware and exfiltrate data, knowing they can bypass traditional security inspection solutions that don’t decrypt traffic.
Security inspection tools such as next-gen-firewalls (NGFW), data-loss protection (DLP) systems, intrusion detection/protection systems (IDS/IPS), web gateways, and others are great at finding threats within traffic. However they do not efficiently decrypt traffic before inspecting. This leaves security inspection tools blind to encrypted threats, and allows malware or intellectual property data to flow through without being inspected or stopped where appropriate. SSL Decryption, also referred to as SSL Visibility, is the process of decrypting traffic at scale and routing it to various inspection tools which identify threats inbound to applications, as well as outbound from users to the internet.
What is driving increased use of SSL/TLS encryption?
The use of SSL/TLS encryption for web traffic has increased dramatically due to several reasons:
- Availability of cheap or free certificates: Let’s Encrypt is a free, automated, and open certificate authority (CA). Let’s Encrypt is easily accessible to small site operators for whom cost was previously a barrier, and for site/app developers who want automate the implementation of certificates within their applications. However, criminals can just as easily obtain the same certificates to make their fake sites appear legitimate. They then use these sites for phishing, man-in-the middle, DNS cache poisoning, and other attacks.
- Google Chrome browser warnings: As of July 2018, websites not using SSL/TLS encryption will automatically be flagged as not secure.
- Google Search results rankings: Google provides higher rankings within search results for sites that use SSL/TLS encryption.
- Increase focus on user privacy: The large number of data breaches in the news has increased the public’s interest in data and user privacy. Laws and regulations such as the European Union GDPR, and California’s new Consumer Privacy Act, have also motivated organizations to implement SSL/TLS.
What are the challenges in decrypting SSL/TLS traffic?
In addition to threats that hide within encryption, you need to be aware of other challenges when designing or maintaining an architecture to inspect traffic. They include:
- Increased complexity: Many companies use multiple security inspection tools to find and stop different types of threats. Some of these tools do not decrypt traffic, and others are unable to decrypt at scale. This results in an unpredictable inspection architecture, and makes it more complex to route traffic efficiently from device-to-device. Also, inspection tool failures can potentially introduce latency or dead-ends to the traffic; and having multiple points of decrypt and encrypt causes simple changes on one device to be much more complex, as it can affect the entire inspection chain.
- Performance impacts: Decrypting and re-encrypting traffic is computationally intensive, which can cause performance impacts on inspection devices. This often results in only some traffic being inspected for threats, while traffic that surpasses a tool’s compute limit is passed through without inspection.
- Modern cryptography: Without a centralized way to decrypt and encrypt, the use of standard ciphers is tough to manage when changes are necessary. In addition, with organizations preferring to use perfect forward secrecy ciphers in most cases, an encryption key cannot simply be shared with out-of-band inspection devices to perform passive inspection.
- Privacy regulations: A lack of customizable policy-based traffic classification can lead to all traffic being decrypted, which may violate your users’ privacy. Although decrypting traffic is essential to finding malware and other threats, having that much visibility into your users’ banking or healthcare info could violate laws or regulations.
How can you protect your organization against encrypted threats?
By applying policy-based decryption and traffic steering to both your inbound and outbound traffic, you gain visibility into encrypted traffic as well as greater efficiency and resiliency of your entire inspection tool stack.
By choosing an SSL/TLS solution that provides for centralized management, you can simplify the process of choosing and updating the cipher suites that help secure network connections using SSL/TLS. This drives better performance of your traffic inspection security tools, while allowing greater flexibility in managing the ciphers you use in end-to-end encryption.
For more info:
SSL Visibility Solution
F5 SSL Orchestrator Product