Security Experts:

New X25519 Cipher Throws Enterprise Surveillance for a Loop

Latest Skirmish in Consumer Privacy vs. Enterprise Security War

Last month in Norway, and probably across the world, another skirmish broke out in the global conflict between personal privacy and enterprise security. I happened to be with an enterprise customer in Oslo when Google rolled out a new encryption cipher between the Chrome v50 browser and Google services. Frequently updating the security posture of both clients and servers is a good thing, of course, and Google’s aggressive security development, especially around encryption, benefits the community as a whole.

The problem was that this particular enterprise, like many around the world, has a policy of scanning both incoming and outgoing Internet data, and this includes email services like Google’s Gmail, even if those services are encrypted. But, because the enterprise’s web gateway software did not support the new cipher, it was suddenly blind to data transiting between clients and the Gmail service. 

The administrators at the company were faced with a choice: either allow (whitelist) Gmail traffic without scanning it or disable access to Google services. They were loathe to do the latter, because Europeans love Google as a search engine (Google has a near monopoly on searches in the EU), and many Europeans use Gmail. But whitelisting Gmail traffic was against the enterprise’s data security policy since unfiltered email obviously increases risks for ransomware, phishing, APTs, and all kinds of other mischief.

How did this happen?

There are a couple of ways to look at what happened here. 

“If Chrome updates, and then something stops working, then Chrome gets the blame.” - Adam Langley, Google Security Engineer in his blog entry “Cryptographic Agility.” 

One way to look at this problem would be to blame Google. They have the world’s most popular website (google.com), the most popular browser (Chrome), and the most popular email site (Gmail.com). And they experiment with new ciphers all the time. Sometimes they make vendors aware of upcoming changes, and sometimes they don’t, that’s their prerogative. Google is aware of corporate web gateway proxies, and they generally look the other way. Corporate and public proxies are so prevalent that Langley says in his blog: “we cannot break in these situations.”

Another perspective is that the web gateway software is to blame; after all, the cipher in question is not really new. Curve X25519 was first described by Daniel J. Bernstein as a high-performance, elliptic curve cipher in 2005, and OpenSSH has been using it by default since 2014. Check out this long list of “things that use X25519.” The vendor is caught flat-footed for not supporting a cipher that was gaining momentum in the encryption community, and the customer is left with the unpleasant choice of disabling scanning or disabling access.

Privacy vs. Security

Let me pause the conversation here to address privacy. Some users aren’t entirely comfortable with IT scanning their email and would circumvent the scanning if they could. But Internet access is hard enough to secure even when everyone in an organization follows all the rules. When users go around the rules, creating holes in the security policy, it becomes much harder to secure. That’s how ransomware happens. And business email fraud and APT, etc. Corporate users must understand that by using corporate equipment and corporate networks, they are consenting to their email being scanned for malware in order to protect the organization. And if they don’t want their email to be scanned, then they shouldn’t check personal information using corporate equipment or networks. Enterprise IT is probably a lot more respectful of privacy than hotel or coffee shop WiFi, and a lot safer. Enterprise IT actually worries about view traffic such as financial and healthcare data and makes strong efforts to avoid doing so.

The conflict between consumer privacy and enterprise security is going to happen more frequently. Think about all of these security technologies that have been invented and deployed in the last 15 years:

● Next Generation Firewall (NGFW)

● IDS/IPS

● Sandboxing

● DLP 

None of those technologies have visibility into encrypted traffic (they may claim they do, but nobody turns it on). That wasn’t a big deal five years ago when only a small fraction of out-bound traffic was encrypted. But today, many enterprises report encryption rates anywhere from 25% to 80% of their outbound traffic. Malware authors are keenly aware of this “SSL blindness” and work to ensure that their payloads transit only within encrypted traffic (lest they get detected).

“I managed 7 sandbox appliances, and about a year ago I stopped getting alerts because everything is encrypted now,” says Sara Boddy, then VP of Information Security at a large media property-hosting site.

How do we get out of this mess?

The proportion of encrypted traffic keeps rising, so IT security administrators will be forced to do more SSL decryption if they are to get any value at all out of their fancy security tools. Vendors have historically struggled to provide a high-availability solution for SSL decryption due to its Man-in-the-Middle (MiTM) nature. Today, vendors have to provide these monitoring solutions with ephemeral certificates that fake out the users, and rely on Chrome to continue looking the other way (and hopefully not break things when they update ciphers).

An official TLS extension to endorse a privacy back door is unlikely at best. “We’ve asked the IETF TLS working group for an extension that would allow SSL intercept vendors to signal to end users that they are being monitored, but the working group has never shown interest in this idea,” says Xiaoyong Wu, a TLS software architect.

SSL Traffic Challenges VisibilityHowever, there is some good news on the horizon. The rising proportion of encrypted traffic is not going unnoticed by architects and vendors. Some vendors are preparing much more operationalized outbound SSL decryption architectures that mimic the sophistication of their inbound architectures. These new outbound architectures promise to alleviate many of the current pain points like the one the customer in Oslo has experienced.

Speaking of that customer, I checked with them today to see how they are fairing with this problem. So far, it is still a stalemate between privacy and security. They hope to get back to scanning Gmail soon; the vendor has created a patch for their web gateway product, and is releasing it “any day now.”

Related: Firewalls Challenged When Dealing with SSL Traffic: NSS Labs

Related: Increasing SSL Traffic Challenging Enterprise Security Efforts

view counter
David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.