SSL encryption improves confidentiality and message integrity – it also puts organizations at risk. More and more hackers are now leveraging encryption to conceal their exploits from detection. We are here to introduce A10 Networks SSL Insight to help organizations to prevent advanced threats.
Attacks Exploiting Encrypted SSL Communication Are Increasing
SSL traffic is growing and it will continue to increase in the foreseeable future due to concerns about privacy and government snooping. Many leading websites today, including Google, Facebook, Twitter and LinkedIn, encrypt application traffic. But it’s not just the web giants that are encrypting communications. Always-on SSL has gradually become a standard aspect of security countermeasures.
Although SSL provides a secured connection, attackers always find SSL protocol loopholes and vulnerabilities. In 2014, we have seen a significant increase in the number SSL Vulnerabilities such as Heartbleed, Beast, Poodle and more. A10 Networks’ Solution Architect Takeki Kumamura warns about the attack attempts using SSL.
"Targeted attacks that involve intrusion into an internal network, communication with an external command and control (C&C) server, and the access of critical information can take advantage of SSL. For example, attackers can slip under monitoring functions by launching a drive-by download attack from a website that is protected with SSL, or by using SMTPS, HTTPS and other protocols that communicates with a C&C server."
SSL was originally intended to provide a means to ensure confidentiality in communication, sending critical information such as IDs, passwords and personal data. The adoption of SSL and its successor, Transport Layer Security (TLS), should be cause for celebration but it is putting organizations at risk. Attackers are wising up and taking advantage of encryption to conceal their exploits from security devices that do not inspect SSL traffic.
According to Kumamura, attack scenarios using SSL can be divided into two types. In the first scenario, the focus is on hiding communication with the client. Like targeted attacks mentioned previously, an attacker protects a fraudulent site with HTTPS before attempting to redirect a user to the site using methods such as "phishing". With this method, users may misunderstand that they are connected "securely" though the site is prepared by attackers.
If there are no countermeasure against this threat, the details of the communication between the client and the fraudulent site cannot be detected. This is to say that IT and security administrators cannot analyze what kind of information is being sent even if they notice that suspicious communication exists, and capture packets from that communication.
The second scenario is attacks that focus on hiding communication with servers. An example of this is a fraudulent website protected by HTTPS, being disguised as a server that is used for security updates. There have been actual cases in which a fraudulent website impersonates the website used for providing updates for some freeware, and where users suffer an attack when the software is automatically updated. Because everything occurred on the server side, and measures taken on the client side were insufficient, can cause a significant problem. If SSL were used for communication in such cases, IT and security administrators would not be able to check the details of communications at all.