cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Dark Side Of The Encryption

Level 12

“Encryption makes it more difficult for governments and other third parties to monitor your traffic. It also makes it harder for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles and other information”. - Wikimedia blog, June 12, 2015

“and that by the end of 2016 65-70% of traffic will be encrypted in most markets”. - Sandvine Global Internet Phenomena Spotlight

I recently met a bright young man who works for Google in Europe.

Me: It’s nice to meet you!

Him: It’s nice to meet you, too!

Me: I have to say to you that Google’s “HTTPS everywhere” makes my life harder as a network security professional”.

Him: Well… This is the way to make things more secure.

Me: I agree, especially in the user perspectives. But my job is still harder…

GOOGLE I/O 2014

Pierre Far and Ilya Grigorik gave an awesome Google I/O session to developers, titled HTTPS everywhere, in June 2014. They evangelized that ALL web communications should be secure always and by default, in order to protect users’ privacy. To prevent Man-In-The-Middle (MITM) attacks, all web communications should be secured by HTTPS, which is HTTP over TLS. Pierre and Ilya stated that HTTPS not only would provide encryption of the client-server communications, but also authentication and data integrity. They later demonstrated the best practices of setting up a secure web site and its indexing signals for Googlebot.

EFF’s HTTPS EVERYWHERE

Google’s increasing use of HTTPS inspired Electronic Frontier Foundation (EFF) to introduced HTTPS Everywhere (with uppercase E in Everywhere) with version 1.0 released in 2011. HTTPS Everywhere is an open source web browser extension for Firefox, Chrome, and Opera. If the target websites support HTTPS, the browser extension automatically makes the web browsing connections to HTTPS. As far as I understand, IE users can install the non-EFF Zscaler Tools HTTPS Everywhere; Safari users need to type https:// manually.

65-70% INTERNET TRAFFIC ENCRYPTED BY 2016

Canadian network policy control products company Sandvine conducted a study with a North American fixed access network service provider in April 2015 to understand the encryption adoption of the internet traffic. The study found that 29% of the downstream traffic of that service provider was encrypted. The majority of the encrypted source traffic was YouTube and BitTorrent’s traffic followed.

For the unencrypted traffic, Netflix contributed 35% share (surprise, surprise, surprise not). This was an interesting finding because in April 2015, Netflix announced in the quarterly earnings letter that it would move to HTTPS to stream movies in the next year, in addition to the existing encrypted log-in and other sensitive data pages. With the Netflix transition to secure content delivery, Sandvine predicted that almost two-third on that North American ISP traffic would be encrypted.

More and more web sites are moving to HTTPS. For example, Wikimedia Foundation announced in a blog on June 2015 that it were in the process to encrypt all Wikimedia’s content with HTTPS and that it would use HTTP Strict Transport Security (HSTS) to protect against MITM attacks.

CHALLENGES OF MONITORING ENCRYPTED TRAFFIC

My team has recently been working on a project to migrate our perimeter firewalls to the Next Generation Firewalls (NGFW). Before we would put them inline, we set them up as monitor mode. What did we observe? Over 95% of our DMZ inbound traffic was encrypted. It’s not a surprise because our company’s website enforces HTTPS connections. About 60% of our outbound web traffic was encrypted. Of course with only monitor mode, our NGFW found ZERO threat from the encrypted traffic.

How do you monitor the activities in the encrypted traffic? You may say you can implement SSL Interception. SSL Interception is a beautiful term that we information security use for what we do, but in the end, it’s basically MITM attack (OK, in a white hat).

Even though we have the blessing from the executives to implement SSL interception for DLP, IPS, IDS, etc, we certainly cannot provide 100% customer satisfaction to our employees. NGFW and web proxy vendors provide a list of affected applications when SSL interception is implemented. The list includes, Microsoft Update, iTunes Store, GoToMeeting, and Dropbox. Beside high cost (money and man power) of implementing SSL interception for visibility and control, I wonder how many companies are blind to the encrypted traffic on their network.

Lastly, I would like to point out that Jacob Thompson of Independent Security Evaluators proposed a method against SSL interception. He demo’ed it at DerbyCon 4 in 2014. My point is that the half a million to a million dollars NGFW/IPS may not be able to give you 100% visibility that you expect.

Do you encounter any challenge to detect threats with the increasing encrypted traffic on the infrastructure? Do you have any successful and failure story to share? I would like to hear from you.

22 Comments
Level 14

I am not sure you can ever get to 100%/100%.

Certain industries (financial) are getting pushed to encrypt everything, but the practicality of that is just not totally there yet.

That said, the next cottage industry will be encryption hacks..... like sharks following a blood trail....

Product Manager
Product Manager

Another example where defense in depth is important, too. Presumably malware will also happily traverse the internet encrypted during delivery, but can still wreak havoc once it hits endpoints. If you imagine your network without a perimeter, all traffic encrypted, how do you protect the soft chewy center?

Level 12

I like how colby‌ put it, "Defence in Depth." At some point the data has to be unencrypted to work with. It's a matter of re-tooling tools to identify where to monitor. I personally feel that some network based security monitoring is going to loose value if it relies on purely unencrypted traffic.

It does pose some real challenges for things like web filtering to a degree. A lot of it still functions but at the metadata level (thanks NSA), just don't expect to see the whole message being transmitted. For that you will need to be a Man In the Browser.

I doubt most people truly understand the issues with encrypted network data. For example Network optimization appliances have a difficulty dueduping encrypted network traffic, as it is all unique.

Level 15

Good points.  For me, I was thinking that if malware and exploits are also using encryption, then the toolsets at the end-points will need to be upgraded and defined for high security.  As the payload will be delivered all the way through to the center of the security onion.  Things like IP reputation filtering will need to be improved.  It would be somewhat of an inconvenience but it would be great if when you connected to a secure website for some transaction that you had some sort of two-part authentication to ensure that you are not seeing any MitM activities. 

Product Manager
Product Manager

I just read this as well, interesting blogs on detection vs. prevention in the "new" world including encrypted communication...

Time's Running Out For The $76 Billion Detection Industry ‌and Detection: A Balanced Approach For Mitigating Risk

MVP
MVP

Playing catch on posting..  Good stuff.

I wish more traffic on the internet was encrypted.  The https Everywhere extension is something I need to look at.

Thank you for sharing...

Maybe it is best to monitor the endpoint desktops?  Is there an answer?

RT

Patching will continue until security improves

Level 12

Encrypting everything is not far from impractical. We no longer need specialized ASIC to perform encryption/decryption; the x86 processors are more than fast enough.

Level 12

100% agree with you on defense in depth.

For the soft chewy center, even if we put the shiny IPS/NGFW there, we'll have zero visibility to encrypted traffic.

If you haven't seen my last year's post, Winning The Loser's Game of Information Security, you may want to check it out.

Level 12

Well put!!!

And I believe that you understand the issues we face today. Thank you for sharing.

Level 12

I would say that you added good points, too.

Level 12

Thank you for sharing these two articles!

Level 12

You are welcome.

As a user, I certainly want to secure my internet activities. But as an enterprise network security professional, I face the challenges of increasing encrypted traffic on the network.

Level 12

What about the BYODs on the network? Nowadays, they are as powerful as desktops in terms of their processing power.

Product Manager
Product Manager

Patching will continue until security improves

This made me laugh out loud.

I have been trying to get this phrase made into a button or T-shirt for Solarwinds or Thwack.

Plus, if you think about the topic, patching and rights management might be the only hope to secure systems and networks in the future.

RT

Level 15

I agree that was a good one.

Level 21

I think the security is overall a good thing and the technology for it is certainly there.  Our monitoring technology and techniques will need to evolve to support the new security models.

Level 9

i agree with mfmahler‌ to some extent. faster processors are being built though, more money for the manufacturer.

Level 12

This would be very nice.

Level 9

I agree with byrona‌ totally

Level 12

Thanks for the information.

About the Author
CCIE Data Center #46006. I am passionate IT professional who splits the work hours as a Datacenter Architect and a Network Security Specialist. Yes, I enjoy this double personality professional life.