It has been a busy three years since NSS Labs published its last report on encryption. More than 45% of websites are encrypted today (up from 30% a year ago in October 2015) and encrypted enterprise traffic has reached 40 – 50%, up from 25% – 35% in 2013. This is significant growth—and in what feels like a very short time frame.
Why the change? Well, for a lot of reasons. Google’s addition of encryption as a website ranking signal has been a financial motivator for many. Also, there are now fewer technological and cost barriers—for instance, free digital certificates can now be automatically added by website hosting companies. These are just two examples, but hopefully they drive home that a wide variety of factors are at play and that encryption as a technology is not going away any time soon.
Is encryption primarily a privacy mechanism, or is it a security mechanism? It’s both, actually. Certainly, web traffic using TLS/SSL encryption is critical to provide protection against eavesdropping. However, it in no way guarantees that the encrypted content does not contain malicious code, or that proprietary corporate information, credit card information, or even personal conversations are not being exfiltrated.
At NSS, we have seen a rise in the number of attacks that are buried in encrypted traffic, and this underlines the need for security controls that can see inside this hidden communication. We are publishing a series of Tech Briefs on encryption, and for those of you that are as interested in the technology as we are, here’s a snapshot of what you can look forward to:
- Part 1 looks at what is driving the technology forward and sets the stage for the rest of the series.
- Part 2 investigates the other side of the secure communications coin, specifically, the use of encryption for malicious purpose.
- Part 3 takes on the mechanics of encryption and the modern technologies used to decrypt and inspect encrypted traffic.
- Part 4 answers the question of how enterprises can ensure privacy while maintaining security.