Exposing the hidden threats in encrypted traffic with SSL decryption

A secure Socket Layer (SSL) is one of the most widely used technologies in encrypting data and providing security as it travels over the internet. It establishes a secure channel between two systems on the web or a local area network. In your web browser, SSL use is indicated by the S following HTTP in the site address and usually by a padlock symbol. Although the technology has now been widely supplanted by Transport Layer Security (TLS), it’s still generally referred to as SSL.

SSL is essential for three reasons:

* It protects data transmissions with encryption – these can be browser to the server, server to server, application to the server and so forth

* It authenticates to ensure that the server you’re connected to is the one you think it is

* It delivers data integrity by ensuring that the data that is requested or submitted is what gets delivered

SSL is frequently used to secure online traffic, including payment card transactions, webmail portals, logins, file transfers and more. However, encrypting information can lead to problems with security threats being hidden in encrypted traffic.

To spot these hidden dangers, you need to decrypt the traffic. But, of course, you may think privacy legislation like GDPR would stop you from doing this. Still, if it’s used responsibly, it can be a valuable strategy for protecting your traffic while remaining within the law.

Decryption and GDPR

Many organisations assume that GDPR means you can’t use SSL decryption, but this is not the case.

Under GDPR, you are allowed to put in place measures to secure the processing of personal data. Indeed it goes further and recommends that you put such efforts in place. So how can you implement decryption measures and stay compliant with the regulations?

The first step in implementing decryption involves reassuring people within the business that you plan to roll out the implementation in a manner sensitive to all compliance considerations. At this stage, you need to be clear about expectations surrounding which data you need to decrypt.

For example, you could decide that you won’t decrypt specific class data that are especially sensitive. These might relate to banking, health care or government. Keep your board of directors, managers, and legal team informed of your intentions.

On the other hand, rather than decrypting everything, you should focus on specific high-risk categories of traffic. For example, this might be from newly registered domains, websites that have been recently infected or websites that are uncategorised.

There are other best practice hygiene approaches you can implement too. These include preventing users from connecting with expired or untrusted websites or self-signed certificates. Businesses can implement these options without needing to decrypt any traffic, but they significantly protect users.

Having decided what you want to do, you must ensure your technical implementation meets your organisation’s needs. Installing a next-gen firewall, for example, helps set your security policy while respecting the need to protect confidential traffic.

Hidden threats

So why do we need to worry about threats from encrypted traffic? The problem is that encryption is becoming ubiquitous. It’s now used not only to secure sensitive, personal or private information; today, we encrypt pretty much all traffic travelling around enterprise networks.

It is happening on the internet too. As far back as 2016, more than half of internet traffic was protected by HTTPS, which is much higher now. It is partly driven by Google and other search engines starting to penalise sites that don’t use SSL by ranking them lower in their search results.

The problem with this dash to encryption is that businesses can be left blind to security threats that may be contained inside their encrypted traffic. Attackers naturally want to leverage the lack of visibility to hide malicious code in encrypted traffic and disseminate their malware across the net. The availability of cheap or free SSL security certificates

from several sites compounds this. This has made SSL easier for attackers to deliver automated malware and phishing campaigns.

As a result, even legitimate websites that use SSL can become infected with malware. Insider attackers can also exploit encryption to hide data being stolen from the network.

If your business cannot see incoming threats, you can’t adequately guard against them. The capability to decrypt SSL traffic gives you the valuable ability to gain visibility into, classify, control and scan traffic to ensure it’s safe.