Growing Network-Encryption Use Puts Systems at Risk
As concern about Internet security has risen over the years, users have increasingly chosen to protect sensitive transmissions via Secure Sockets Layer or Transport Layer Security cryptographic technology.
However, this trend has raised cybersecurity concerns.
A recent study by firewall vendor Palo Alto Networks indicates that SSL and TLS encryption hide transmission contents from security applications that work by scanning inbound and outgoing transmissions.
"As a practical matter, no one can determine what the content of that traffic is unless they have the ability to decrypt it. If they don’t have that, then they're blind to it," said Scott Crawford, managing research director at Enterprise Management Associates, a consultancy and market-research firm.
SSL and TLS basics
Netscape released the first public SSL version in 1995. The Internet Engineering Task Force released the first public TLS version, based largely on SSL, in 1999.
The technologies provide privacy, authentication, and message integrity by employing a cryptographic system that uses an openly available public key in conjunction with a private key that only the recipient knows.
To communicate safely, each party must send the other a security certificate.
Each then encrypts what it sends using information from both its own and the other party's certificate. This ensures that only the intended recipient can decrypt the transmission. It also ensures that the data comes from the place it appears to have come from and that no one tampered with it.
The main difference between the two cryptographic approaches is that SSL starts with a safe connection and then secures the communications itself.
TLS starts with an insecure connection to a server and switches to secured communications only after a client–server handshake. If the handshake fails, no connection occurs.
TLS is more extensible and allows both secure and insecure connections over the same port. SSL requires a secure-only port.
Usage on the Rise
Palo Alto Networks' recent study analyzed 28 exabytes of data generated by 1,253 organizations from October 2010 to April 2011, and found that SSL and TLS use is growing.
"Applications using SSL … represent 25 percent of the applications found and 23 percent of the overall bandwidth used," stated Palo Alto's 2011 Application Usage and Risk Report.
SSL and TLS use will continue to grow because of ongoing Internet-security concerns and because they're popular with major websites, including social-networking sites, said Mike Haro, head of communications for Palo Alto Networks.
In fact, Facebook, Gmail, and Twitter all recently added SSL as either a standard setting or a user-selectable option.
Dangerous side effects
Many security products, such as antimalware software, firewalls, and data-loss-prevention tools that scan ingoing or outgoing transmissions, can't read the contents of communications protected by SSL or TLS.
"There are a lot of valid reasons for their use, but they pose an issue for security professionals in that they obscure traffic that could potentially be malicious," Crawford said.
And if organizations routinely encrypt traffic streams via SSL or TLS, Palo Alto said, disgruntled employees or other insiders could send out confidential information without being detected.
Companies must do more to deal with the problems that SSL and TLS can cause, said Ryan White, a product marketing manager with security vendor Symantec.
Organizations could take steps to inspect network traffic for malicious content that might be hidden by SSL or TLS encryption.
One technique would be to sniff data packets and identify their destination IP addresses, Crawford said. Because the packet headers aren't encrypted, the IP addresses are readable.
"If you can correlate that IP address with other known malicious activity, then you have probably reinforced your identification of a potential command-and-control channel," Crawford said.
To cope with incoming traffic, he noted, network administrators could use a white-hat man-in-the-middle approach, in which a proxy intercepts the traffic between a client and the organization's server.
In the communications process, he said, the man-in-the-middle could masquerade to the client as the server and request the former's private cryptographic key. At that point, the organization could inspect the traffic for security problems before it reaches the server, which could then send the transmission, if deemed safe, to its ultimate destination.
A similar process could be used for outbound traffic.
White expressed optimism that such techniques will help organizations deal with communications encrypted via SSL or TLS.
"But the problem is [getting] businesses to adopt the practices and implement them correctly," he added.
According to Crawford, the SSL- and TLS-related issues are indicative of a bigger problem, which is that many organizations fail to monitor activity on their networks closely enough.