This article originally appeared in Forbes.
Secure sockets layer (SSL) is an industry-standard method for secure communications on the internet. SSL—along with its successor, transport layer security (TLS)—is the commonly accepted standard for securing data in transit. SSL protects data using cryptographic techniques that leverage public and private keys for encryption and decryption. The SSL cryptographic model uses certificates to validate the authenticity of communicating entities.
Websites use SSL to ensure secure connections between a user’s web browser and the web server. Hypertext transfer protocol (HTTP) is the ubiquitous text protocol of the internet. An SSL-secured website URL begins with "https" (note the “s”) and, depending on the browser, typically has a “lock” icon next to it in the address bar. HTTPS leverages SSL/TLS for authentication and encryption to secure HTTP. This is vital because the information that you send on the internet is passed along from one device to another before it reaches its intended destination. Unsecured HTTP transmits clear text and is not safe for sensitive information such as credit card numbers, usernames and passwords, which may be seen by intermediate devices. When the information is encrypted and protected by SSL/TLS and transmitted by HTTPS, only the intended recipient can decrypt and consume the information.
Originally developed in 1994, the SSL protocol has evolved to become even more secure. Initially, SSL was intended primarily to secure banking and e-commerce transactions. With the rise of data-privacy concerns, more websites now enable SSL by default. According to the most recent Google Transparency Report, 93% of the Google Chrome-loaded pages were encrypted using HTTPS as of April 6. The same report notes that 96 of the top 100 internet sites use HTTPS encryption (and account for 25% of all traffic). This is great news for privacy, but it has created new challenges for enterprise security.
For years, the “lock” image next to a website’s URL address provided an assurance of safety. Not anymore: Cybercriminals encrypt, too, and an HTTPS URL can hide difficult-to-detect malware. For enterprise security professionals, decrypting, inspecting and re-encrypting SSL traffic is nontrivial. With traditional hardware-based security, a full inspection can slow data transit. And it’s difficult for those legacy systems to scale to accommodate that inspection without a dramatic performance degradation. Bad actors know this and use SSL to their advantage, serving encrypted malicious content, hiding malware and launching attacks beyond most organizations’ scope of detection.
Bad actors exploit SSL security in a number of ways:
• Hiding dangerous viruses, spyware and other malware.
• Building payload-delivering websites that use SSL encryption.
• Injecting malicious content into well-known and trusted SSL-enabled sites.
• Hiding data leakage, such as the transmission of sensitive financial documents from an organization to an external destination.
• Anonymizing browsing, preventing corporate policy oversight.
More and more websites are switching to HTTPS delivery, making the ability to inspect and control traffic to and from those sites essential to an organization’s security posture. Enforcing that security posture requires SSL interception.
Combatting encrypted malware starts with SSL interception, followed by inspection, assessment and action to ensure nothing bad comes in and no confidential information leaks out. SSL inspection is computationally intensive. It typically requires a proxy server that can terminate the client connection, decrypt the content, analyze it for security issues or policy violations, re-encrypt it and then send it to the server. The process isn’t getting easier: As cryptographic standards evolve, increases in SSL/TLS protocol algorithm and cipher complexity only make the inspection more onerous, which can further impact the user experience. To alleviate performance degradation pain, some IT organizations “bypass” popular sites or, even worse, disable SSL inspection entirely.
Many vendors offer SSL inspection. Enterprise IT leaders considering SSL capabilities and performance would do well to keep the following in mind:
The internet is moving to default SSL/TLS-based encryption, and in most cases, it already has. And so have security threats, which leverage encryption technology to penetrate enterprise defenses. SSL interception is vital for enterprise security, and enterprises must carefully evaluate security stacks to ensure SSL interception capability at scale ... without compromising the user experience or the bottom line.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Amit Sinha is CTO and Executive Vice President of Engineering and Cloud Operations at Zscaler