Even though HTTPS (Hypertext Transfer Protocol Secure) is used by most banks, online shops, and giant companies like Google and Facebook to increase security, HTTPS cannot always prevent malware programmers from spreading malicious codes. According to a CeBit article, many conventional firewalls do not recognize encrypted malware for what it is, and therefore let it enter company networks unchallenged.
Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. In the late 2000s and early 2010s, HTTPS began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private
Developed by Netscape in 1994, HTTPS, according to Wikipedia, was primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. It wasn’t until the late 2000s and early 2010s that HTTPS started to widely spread and be used to increase the security of various pages, websites, accounts, etc., and protect the privacy of all users.
“According to a recent study by Dell, encrypted internet traffic is growing rapidly with SSL and TLS. It more than doubled in 2014 – from 182 billion connections to 437 billion. In October 2014, 32.8 percent of the 150,000 most popular websites were HTTPS encrypted. And the trend is upward,” wrote Andreas Dumont for CeBit. “Almost none of this traffic is scanned for hidden malware. This means that one-third of all data traffic represents a potential entry point for malware directly into the company network,” Dumont continued.
A NSS research study in 2013 that analyzed how SSL negatively impacts the next-generation firewall (NGFW) devices concluded that:
- Inspecting SSL traffic impacts both overall throughput and the average number of transactions per second for NGFWs
- SSL traffic on enterprise networks is growing rapidly & creating security blind spots
- Exploits using SSL may be few, but usually involve highly sophisticated malware
“Because industry standards are moving towards 2048b and SSL/TLS traffic is rapidly increasing, the ability to effectively support SSL/TLS decryption can no longer be swept under the rug. If this thought process continues I foresee a huge issue in the future for enterprises trying to keep targeted persistent attacks at bay,” NSS Labs Research Vice President John Pirc said in a press release.
The NGFW platform, which combines a traditional firewall with various other network devices used for filtering network traffic, performs a better SSL inspection of viruses, malware and other possible harmful activities compared to conventional firewalls.
According to Wikipedia, Gartner states that NGFW should provide:
- Non-disruptive in-line bump-in-the-wire configuration
- Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.
- Integrated signature based IPS engine
- Application awareness, full stack visibility and granular control
- Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
- Upgrade path to include future information feeds and security threats
- SSL decryption to enable identifying undesirable encrypted applications
“Today, the percentage of malware using SSL/TLS is very small, however, as more decide to use SSL/TLS for both delivering malware and as a call back to a command and control server, we are going to be blind to the attacks. I think we still have time for vendors to improve their capabilities… but until then, we may have to accept that operating an additional piece of hardware in the network dedicated to SSL decryption is probably our best strategy,” Pirc said.
More solutions to this problem are expected to be presented at the next CeBit event in March 2016.
(Picture source: blog.ahrefs.com)