You simply cannot decrypt everything! I’m not saying you shouldn’t decrypt user traffic, but it is important to understand that some services simply cannot be decrypted.
Here’s some basic information on SSL decryption:
• SSL is a protocol based on trust
• For example when SSL traffic is decrypted on a web proxy, you are breaking that trust. Your browser thinks it is communicating with Google while in fact it is talking to your web proxy.
• A network administrator is able to do this by adding to the “Trusted CA certificates” repository in your laptop to ensure the certificate of your web proxy is trusted. This allows decryption of your SSL encrypted traffic.
In an authorised environment this is termed “SSL decryption” or “SSL visibility”.
If a hacker does the exact same thing, this would be a termed a “man in the middle attack” and indeed this method is used by many attackers.
Some software vendors choose not to trust this “Trusted CA certificates” repository on your machine. They can do this if you have certain software installed on your machine.
For example: Dropbox
• Dropbox through your regular Internet browser: Your browser trusts your system’s “Trusted CA certificates”. This can be decrypted
• Dropbox through the installed software client for Windows: Is hardcoded with the CA certificate it should trust. This cannot be decrypted
This technique of limiting the trusted certificates is called Certificate Pinning and prevents anyone from undertaking SSL decryption. For now only a few services offer certificate pinning but the list will likely grow. Some vendors currently use certificate pinning to ensure their traffic cannot be decrypted, such as: Whatsapp, Microsoft Update, Dropbox, EAgames … There are many lists shared on Internet of these services, view them here
This is not the only way to prevent SSL decryption, as the IT landscape is constantly evolving:
• Some applications don’t follow the SSL standard and therefore cannot be decrypted
• New protocols are coming: HTTP/2, SPDY/2. The way security will handle them will also evolve with them
What can you do for these applications?
• You could deny the use of these apps
• You could allow use without decryption – if you trust the service
• For applications like Dropbox, you may allow web access and deny the client software
• And of course, you can still rely on your good old endpoint software (anti-virus, host-IPS, DLP, application control etc…)!
Every website and every application can change without any warning. This usually has an impact on security solutions that perform application filtering. These need to adapt quickly to change. This can be addressed through the use of dynamic security solutions such as Application Control or Web Filtering on Next-Gen Firewalls or Proxies. These features use cloud based categorisation that are updated every day (if not more frequently) and adapt to application change very quickly.
Creating an environment where trust is everything and can be relied upon is the utopia to which we all strive to reach, however, until that day arrives, watch your certificates and keep your trusts unbroken!
You can benefit from years of experience and expertise from Axial Systems to increase the security of your business. We are partners with leading security companies and will provide you with unbiased advice based on your existing network and real business needs.