Corporate Problems with SSL
Benjamin Low on ZDNet Asia wrote about some of the problems corporations face when dealing with SSL encrypted traffic on their network. Though he raises some interesting questions, some of his arguments are flawed.
He lists the following "Vulnerabilities of HTTPS":
- Virus scanning and content filtering cannot be applied to encrypted content
- Outbound content filters to control dissemination of intellectual property or confidential protected information cannot be applied to SSL encrypted content
- Web server certificates can be stolen, bogus, expired or revoked (although they are regularly updated, certificate revocation lists are rarely checked by users)
- Popular browsers are notoriously vulnerable to certificate insertion attacks that allow malicious third-parties to establish trusted connections through corporate networks
- Access logs do not report "user agent" or "referrer" fields for HTTPS requests, making monitoring, audits and policy enforcement nearly impossible
- An array of tunneling methods, services and tools are easily within the average employee's reach and are already common in several forms in most enterprises (Bouncer, Guardster, CryptoTunnel, Web Mail, etc.)
- Employees are allowed to decide when a certificate can be trusted, but often lack the requisite knowledge to apply appropriate diligence to this decision
- Legitimate certificates can easily be acquired by criminals and may be enough to make Web users feel information they provide is secure when it actually is not
Benjamin brings up some very important points. Corporations have no power to filter harmful or sensitive information when an SSL connection is used. There are various methods of addressing these problems. You can ensure that malware is not a problem by making sure every employees computer has Antivirus software that is updated automatically. Benjamin offers the following solutions for corporations that need to monitor all netowrk traffic:
While a solution has been elusive due to the challenges of scanning HTTPS for unwanted contents, the situation is not entirely hopeless.
One approach is to temporarily decrypt the SSL contents, filter the contents with normal content filters and the contents are then re-encrypted before they are delivered through the SSL tunnel. The following is a sample of protection options that companies can consider to monitor and control threats via SSL.
- Gateway antivirus and antispyware scanning
Scanning at the gateway is important because it stops viruses and malicious mobile code before it travels through the network. However, encrypted content has been impossible to scan at the gateway. By decrypting HTTPS content at the gateway and scanning for viruses, companies can rely on the same level of protection for HTTPS that is available for HTTP, FTP, and e-mail.
- Outbound content control (OCC)
Several IT security products offer outbound content control products but they are ineffective for encrypted content. By first decrypting HTTPS file transfers, enterprises can better manage and control the various SSL channels where previously contents can pass through freely in and out of the network.
- Certificate management
Most enterprises closely scrutinize companies they choose to partner or do business with offline but procedural weaknesses in the SSL certificate exchange process make this more difficult to scrutinize trading partners when transacting online. Centralizing certificate policy at the gateway removes the burden of this decision from employees and allows administrators to enforce a consistent policy.
- Flexible policy enforcement
All SSL encrypted traffic should in general be inspected. Most enterprises will want to deploy flexible policies on exactly what traffic to what site is decrypted or for which category of users. For example, executive level management may be completely exempt from SSL scanning while for the general user, SSL scanning may be deactivated for certain trusted banks or trusted categories of Web sites.
Keep in mind that if you use a gateway to decrypt the SSL traffic, you are opening a potential new security hole. If someone compromises the gateway, they will have access to view all the traffic going through it. Also, there are a couple of flaws in Benjamin's analysis of the "vulnerabilities" of SSL. For one, bogus, expired, and revoked certificates all give a strong warning in web browers and all modern browsers automatically check certificate revocation lists.
Also "certificate insertion attacks that allow malicious third-parties to establish trusted connections through corporate networks" are practically impossible when SSL certificates are implemented properly.
Securing encrypted traffic in SSL - [ZDNet Asia]
Originally posted on Sun Dec 21, 2008