In principle, communication via the encrypted HTTPS protocol (Hypertext Transfer Protocol Secure) increases security. Almost all banks and many online shops use this form of encryption for the secure exchange of sensitive data, such as in online banking or shopping. Websites such as Google, Facebook or Twitter are also increasingly relying on HTTPS encryption to ensure greater security.
But HTTPS has a drawback: encrypted traffic can be a threat, in particular for companies – even when it is implemented correctly.
The problem is that many conventional firewalls do not recognize encrypted malware for what it is, and therefore let it enter company networks unchallenged. More and more malware programmers are taking advantage of this situation to spread malicious code unnoticed.
The HTTPS protocol was developed by Netscape in 1994. It is meant to guarantee integrity and trust in communication between web servers and browsers, and achieves this using encryption and authentication to prevent the notorious man-in-the-middle attacks.
The additional data encryption takes place via SSL/TLS, continuously from server to client, which then decrypts the data again. SSL stands for Secure Sockets Layer. TLS is the successor to SSL, and stands for Transport Layer Security.
According to a recent study by Dell, encrypted internet traffic is growing rapidly with SSL and TLS. It more than doubled in 2014 – from 182 billion connections to 437 billion. In October 2014, 32.8 percent of the 150,000 most popular websites were HTTPS encrypted. And the trend is upward.
Almost none of this traffic is scanned for hidden malware. This means that one-third of all data traffic represents a potential entry point for malware directly into the company network.
A study by NSS Labs points out:
"It is ironic that the rising use of SSL, which is meant to make our online lives safer, is making corporate networks less secure by creating blind spots for the security infrastructure."
To close the security vulnerabilities created by HTTPS, a Next-Generation Firewall (NGFW) is needed. Only systems that are able to conduct a comprehensive SSL inspection, in order to examine encrypted communications for malware, are protected.
A Next-Generation Firewall combines a conventional firewall with a number of other functions and network devices, including an application firewall, deep packet inspection and an intrusion prevention system, as well as SSH and SSL inspection.
In order to inspect HTTPS network traffic, the firewall must analyze the data in cleartext. Therefore, encrypted data is first decrypted, then analyzed, and finally reencrypted and sent to the target computer. The firewall thus works between the server and the client, just like a man in the middle. It is certificates that enable this inline decryption. When the firewall acts, the browser no longer sees the original server certificate, but a version signed by the firewall, which it acknowledges with a warning.
Only with a trustworthy CA certificate does the browser accept the interruption of the encrypted data flow by the firewall without issue. CA stands for Certificate Authority. Digital CA certificates are issued by authorized certification authorities. A list of trustworthy CA certificates is hardcoded into the browser, which means it cannot be modified by the user. The distribution and installation of certificates on all clients in the company is the responsibility of the admin.
It is generally advisable to define a whitelist which bypasses SSL inspection for certain applications such as bank transactions. The admin should also keep an eye on the performance of the security solution in the company IT. SSL inspection leads to a certain latency, because data must be decrypted, analyzed and reencrypted.
The topic of security will be a key focus next March in Hannover at CeBIT. Many companies are presenting their latest solutions in this area. Visitors can meet with experts and discuss their questions about HTTPS, among other things.