Web encryption, i.e., HTTP within TLS/SSL, reduces risk by helping Internet users maintain confidentiality, preserve the integrity of their data, and authenticate securely to remote services, such as banking websites. However, if organizations do not deploy security controls that can inspect HTTPS communication, they will not see all criminal activity, including inbound initial compromise and infection, lateral movement, and outbound exfiltration.
Uncovering hidden communication is only part of the problem. While there are plenty of web servers that encrypt web traffic, many do not—and there are still weaknesses in those that do. Such weaknesses include having only some of the web content encrypted, utilizing vulnerable versions of TLS/SSL protocols, weak RSA key sizes, lack of HSTS headers, and the absence of forward secrecy features. Threat actors use these deficiencies to enable the root access they require for full compromise.
Not only must organizations scan encrypted content, they must also maintain the encryption technologies that protect their systems – IT security personnel have their work cut out for them. The good news is that we are moving towards a more secure online experience. Independent researchers, research companies, and system administrators are on the lookout for new weaknesses in encryption protocols and are continuously testing older ciphers to determine whether they are vulnerable. Without their efforts, we would all be much more exposed.
For more on the malicious use of TLS/SSL, read my second paper in a series on the encrypted web: The Encrypted Web: Part 2 – Malicious Traffic.