Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Private, But Not Secure: HTTPS is Hiding Cybercrime

Importance of SSL Inspection

Importance of SSL Inspection

Encrypted communications have boomed in popularity in the aftermath of the Snowden leaks in 2013, which has ironically opened up a new pathway for cybercriminals. Since those fateful revelations years ago, the world has witnessed a sharp increase in encrypted web traffic—reaching half of all global traffic at the beginning of this year and zooming past more than 65 percent this past May, according to published browser statistics from Chrome and Firefox.

While web site operators of all stripes have shifted to SSL encryption, malware authors have also followed suit. Every major ransomware family since 2015 has been distributed at some point via HTTPS, including Petya, Locky and Jigsaw.  My team recently dug into our mass of threat data and found that 36 percent of global malware is using SSL encryption—still lower than the overall share of SSL in web traffic, but a significant number and a startling increase. In 2013 Gartner pegged the same statistic at “less than 5 percent,” and an NSS Labs study that same year found that less than one percent of malware was using SSL. 

The fact is, despite that growth, most businesses today are not inspecting their HTTPS traffic for threats. A pair of Osterman Research studies in the past year have shown that the adoption of SSL traffic inspection is low and varies greatly from region to region. For instance, a survey this past February revealed that only 19 percent of UK organizations are applying security to SSL traffic, while in the US a study pegged the number at a bit over 50 percent, meaning nearly half aren’t. Regardless of the geographical variations, this translates into vast numbers of organizations leaving themselves vulnerable to a significant proportion of threats today. 

The massive shift of the majority of web use to SSL encryption has become a double-edged sword. While it increases users’ privacy, it can create blind spots in many organizations, where malware in the HTTPS channel is essentially hidden from most web security tools. And as companies such as Google boost search rankings for sites that use HTTPS (and punish those who don’t with “not secure” warnings), the volume of encrypted traffic will continue to grow at escalating rates. The launch of the free SSL certificate authority called “Let’s Encrypt,” which launched just last year, has no doubt contributed to the recent run-up. 

It’s clear that many IT administrators underestimate this threat by failing to implement inspection. But looming larger than those concerns is the fact that many companies still don’t recognize SSL inspection as the basic necessity it has become. For all the laudable motives which have made SSL encryption the new normal for web transport, I’m convinced those green padlocks and SSL certificate marketing icons that say things like “100% Secured Website Guaranteed” and “100% Secure Connection” have sown confusion around what SSL does and does not do. While SSL encryption protects from criminal eavesdropping and man-in-the-middle attacks, it does not enforce any security standards beyond encryption and authentication. This means that SSL may guarantee the integrity of the data in your connections, but that includes the delivery of cyber threats.  HTTPS guarantees privacy, not security.

Ignorance is evidently not the only reason some have not yet implemented such inspection, sometimes citing a lack of available tools and personnel, increased costs, a concern over the gateway performance degradation that full inspection can bring with it, or privacy concerns. But those explanations don’t change the fact that if a company is not inspecting HTTPS traffic today for threats, it’s security has developed a very large—and growing—gap. Inspection of HTTPS traffic is really no longer optional.

RelatedEncrypted Network Traffic Comes at a Cost

Related: SSL Encryption: Keep Your Head in the Game

Advertisement. Scroll to continue reading.

RelatedTo Improve Security Effectiveness, Look Inside

view counter
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.