Exposing the hidden threats in encrypted traffic with SSL decryption

December 18, 2022
Posted by: Gradeon
Category: Compliance

A secure Socket Layer (SSL) is one of the most widely used technologies in encrypting data and providing security as it travels over the internet. It establishes a secure channel between two systems on the web or a local area network. In your web browser, SSL use is indicated by the S following HTTP in the site address and usually by a padlock symbol. Although the technology has now been widely supplanted by Transport Layer Security (TLS), it’s still generally referred to as SSL.

SSL is essential for three reasons:

* It protects data transmissions with encryption – these can be browser to the server, server to server, application to the server and so forth

* It authenticates to ensure that the server you’re connected to is the one you think it is

* It delivers data integrity by ensuring that the data that is requested or submitted is what gets delivered

SSL is frequently used to secure online traffic, including payment card transactions, webmail portals, logins, file transfers and more. However, encrypting information can lead to problems with security threats being hidden in encrypted traffic.

To spot these hidden dangers, you need to decrypt the traffic. But, of course, you may think privacy legislation like GDPR would stop you from doing this. Still, if it’s used responsibly, it can be a valuable strategy for protecting your traffic while remaining within the law.

Decryption and GDPR

Many organisations assume that GDPR means you can’t use SSL decryption, but this is not the case.

Under GDPR, you are allowed to put in place measures to secure the processing of personal data. Indeed it goes further and recommends that you put such efforts in place. So how can you implement decryption measures and stay compliant with the regulations?

The first step in implementing decryption involves reassuring people within the business that you plan to roll out the implementation in a manner sensitive to all compliance considerations. At this stage, you need to be clear about expectations surrounding which data you need to decrypt.

For example, you could decide that you won’t decrypt specific class data that are especially sensitive. These might relate to banking, health care or government. Keep your board of directors, managers, and legal team informed of your intentions.

On the other hand, rather than decrypting everything, you should focus on specific high-risk categories of traffic. For example, this might be from newly registered domains, websites that have been recently infected or websites that are uncategorised.

There are other best practice hygiene approaches you can implement too. These include preventing users from connecting with expired or untrusted websites or self-signed certificates. Businesses can implement these options without needing to decrypt any traffic, but they significantly protect users.

Having decided what you want to do, you must ensure your technical implementation meets your organisation’s needs. Installing a next-gen firewall, for example, helps set your security policy while respecting the need to protect confidential traffic.

Hidden threats

So why do we need to worry about threats from encrypted traffic? The problem is that encryption is becoming ubiquitous. It’s now used not only to secure sensitive, personal or private information; today, we encrypt pretty much all traffic travelling around enterprise networks.

It is happening on the internet too. As far back as 2016, more than half of internet traffic was protected by HTTPS, which is much higher now. It is partly driven by Google and other search engines starting to penalise sites that don’t use SSL by ranking them lower in their search results.

The problem with this dash to encryption is that businesses can be left blind to security threats that may be contained inside their encrypted traffic. Attackers naturally want to leverage the lack of visibility to hide malicious code in encrypted traffic and disseminate their malware across the net. The availability of cheap or free SSL security certificates

from several sites compounds this. This has made SSL easier for attackers to deliver automated malware and phishing campaigns.

As a result, even legitimate websites that use SSL can become infected with malware. Insider attackers can also exploit encryption to hide data being stolen from the network.

If your business cannot see incoming threats, you can’t adequately guard against them. The capability to decrypt SSL traffic gives you the valuable ability to gain visibility into, classify, control and scan traffic to ensure it’s safe.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Exposing the hidden threats in encrypted traffic with SSL decryption

SSL is essential for three reasons:

Decryption and GDPR

Hidden threats

Consulting Services

Compliance Services

PCI Services

Cyber Services

Products

IT Infrastructure

How can we help you?