77% of internet traffic is now encrypted. That number has been increasing steadily over time and it appears that it will continue to increase. What does it mean to us as security professionals when we’re dealing with an increasingly dark internet?
- Traditional network products are ineffective at examining encrypted traffic. That means we’ll have to decrypt it for them.
- We have a limited number of precious places to look at traffic in its unencrypted state. Notably, proxies and end-points. End point detection is pretty clear and I’ve blogged about that at length so let’s dig into proxies.
I think it might be useful to talk about the encryption process for a moment. As an illustration, let’s say that you want to share secrets in letters with your friend in another state. You and your friend meet and develop a way of encrypting your messages so that they won’t make sense to anyone who reads them while they’re in transit. There’s a whole science dedicated to the way you and friend might come up with this, but for arguments sake let’s just say you develop a really cool new-age captain crunch decoder ring that perfectly scrambles and obfuscates your message. You make two rings and your friend goes to his home state, anxiously awaiting your first letter.
So, you and friend exchange encrypted letters. It’s a little more work, encrypting and decrypting the letters but you go sleep every night secure in the knowledge that no one can intercept your letters and read them.
This is essentially what is happening every time you open your browser. You go to a web site. You and the site agree on decoder rings and you encrypt everything that passes between you so that no one can read what goes on between you. Encryption used to be a somewhat selective thing that was done around specific areas of concern like passwords or credit cards. Now it’s done for everything. Facebook encrypts everything, so does Google.
So, what’s the problem? The problem is that companies have spent a lot of time and money putting network security devices at their perimeters to keep everyone safe. They do this by inspecting the traffic. And if they can’t read the traffic, guess what? They really can’t do much of a job inspecting it. Hackers know this and the first thing they will do upon compromising a computer is to encrypt the traffic heading out from it.
Vendors who are affected by this problem are obviously working hard to stay relevant. They are releasing features to decrypt the traffic so it can be inspected. Since you’re now an encryption expert (thanks to my handy encrypted letter story), I’m sure you’re a little cynical about this claim. How can somebody just sit in the flow and read encrypted packets? Isn’t that the antithesis of the whole encryption thing? How do they do that? And if they can do that, why is encryption useful at all?
Meet, your new friend Bob, the proxy. Bob sits between you and your friend, passing on your letters to each other. During the initial decoder ring creation, he basically impersonates (or becomes a proxy for) each of you to the other. You think you’re making decoder rings with your friend, but it’s really you and Bob who have matching rings. Likewise, your faraway friend is also making rings with Bob instead of you. So your conversation with Bob is encrypted and so is your friends, but Bob sees your letters.
So, what about Bob? Friend or foe? Well, he’s certainly slowing things down a bit. And complicating things. We have to make 4 rings now instead of 2. But maybe it’s worth it if he’s keeping you safe in some way. But maybe you never wanted Bob in the first place. Who is this Bob and why is he reading my letters?
Trusting Bob seems pretty key in this situation. A general rule for proxies is that they require a certificate issued by someone we trust to put themselves in this proxy role. Certificates are actually used to make sure every web site we go to is trusted. This might seem safe but it probably depends. If I’m inside my corporate network and a machine wants to proxy my conversations, I guess that’s OK. If I’m on a wireless network in some sketchy town like Cleveland, maybe not. Certificate or not. Certainly if you get a message telling you that someone without a trusted certificate is trying to get in the middle of your conversation, it’s a good to time to opt out.
Based on our new extended understanding of encryption and proxies, what are some key takeaways –
Everyone loves encryption, including hackers.
We need a plan for what to do with network security when everything is encrypted.
Companies will need to use proxies to selectively and intelligently review traffic at their perimeter.
One proxy really should be enough. It should decrypt the traffic and share unencrypted traffic with any device that needs to check it. No sense piling up proxies.
If we’re not inside our own company, we should be more aware of proxies as a rule. On mobile devices, there are applications that can help you with this.
If you’re looking for some further reading, the Ponemon Group has released a study on this along with recommendations.
Good luck in the dark.