Connect with us

Hi, what are you looking for?



Private, But Not Secure: HTTPS is Hiding Cybercrime

Importance of SSL Inspection

Importance of SSL Inspection

Encrypted communications have boomed in popularity in the aftermath of the Snowden leaks in 2013, which has ironically opened up a new pathway for cybercriminals. Since those fateful revelations years ago, the world has witnessed a sharp increase in encrypted web traffic—reaching half of all global traffic at the beginning of this year and zooming past more than 65 percent this past May, according to published browser statistics from Chrome and Firefox.

While web site operators of all stripes have shifted to SSL encryption, malware authors have also followed suit. Every major ransomware family since 2015 has been distributed at some point via HTTPS, including Petya, Locky and Jigsaw.  My team recently dug into our mass of threat data and found that 36 percent of global malware is using SSL encryption—still lower than the overall share of SSL in web traffic, but a significant number and a startling increase. In 2013 Gartner pegged the same statistic at “less than 5 percent,” and an NSS Labs study that same year found that less than one percent of malware was using SSL. 

The fact is, despite that growth, most businesses today are not inspecting their HTTPS traffic for threats. A pair of Osterman Research studies in the past year have shown that the adoption of SSL traffic inspection is low and varies greatly from region to region. For instance, a survey this past February revealed that only 19 percent of UK organizations are applying security to SSL traffic, while in the US a study pegged the number at a bit over 50 percent, meaning nearly half aren’t. Regardless of the geographical variations, this translates into vast numbers of organizations leaving themselves vulnerable to a significant proportion of threats today. 

The massive shift of the majority of web use to SSL encryption has become a double-edged sword. While it increases users’ privacy, it can create blind spots in many organizations, where malware in the HTTPS channel is essentially hidden from most web security tools. And as companies such as Google boost search rankings for sites that use HTTPS (and punish those who don’t with “not secure” warnings), the volume of encrypted traffic will continue to grow at escalating rates. The launch of the free SSL certificate authority called “Let’s Encrypt,” which launched just last year, has no doubt contributed to the recent run-up. 

It’s clear that many IT administrators underestimate this threat by failing to implement inspection. But looming larger than those concerns is the fact that many companies still don’t recognize SSL inspection as the basic necessity it has become. For all the laudable motives which have made SSL encryption the new normal for web transport, I’m convinced those green padlocks and SSL certificate marketing icons that say things like “100% Secured Website Guaranteed” and “100% Secure Connection” have sown confusion around what SSL does and does not do. While SSL encryption protects from criminal eavesdropping and man-in-the-middle attacks, it does not enforce any security standards beyond encryption and authentication. This means that SSL may guarantee the integrity of the data in your connections, but that includes the delivery of cyber threats.  HTTPS guarantees privacy, not security.

Ignorance is evidently not the only reason some have not yet implemented such inspection, sometimes citing a lack of available tools and personnel, increased costs, a concern over the gateway performance degradation that full inspection can bring with it, or privacy concerns. But those explanations don’t change the fact that if a company is not inspecting HTTPS traffic today for threats, it’s security has developed a very large—and growing—gap. Inspection of HTTPS traffic is really no longer optional.

RelatedEncrypted Network Traffic Comes at a Cost

Advertisement. Scroll to continue reading.

Related: SSL Encryption: Keep Your Head in the Game

RelatedTo Improve Security Effectiveness, Look Inside

view counter

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.