HTTPS flows and web filtering: 90% of traffic by 2020! CIOs, be ready!
Secure Internet traffic using HTTPS (HyperText Transfer Protocol Secure) is now widespread, accounting for over 80% of web traffic in France, and will probably reach 90% by 2020. This increase is in line with the underlying trend towards more secure data exchange. It also responds to the impetus given by Google, which encourages the natural referencing of HTTPS websites in its search engine and penalizes those that are not.
This transformation can be seen at every level, since virtually all web browsers now consider access to an unencrypted HTTP site to be dangerous, and warn users with explicit alerts.
However, the explosion in secure Internet traffic does not make HTTPS filtering any easier for CIOs and CISOs, who face a real technical headache with SSL/TLS decryption, and a legal one, since companies are not authorized to decrypt all flows (in the banking or healthcare sectors, for example). In fact, analyzing the flows exchanged between a company's internal network and the outside world is vital for web security and information system protection. So what are the recommendations for taking this new HTTPS requirement into account?
Understanding the nature of HTTPS flows for enterprise web security
The HTTPS protocol complements the historic HTTP protocol with an additional layer of security, enabling the exchange of secure information over a TCP/IP network. This additional layer corresponds to the TLS (Transport Layer Security) protocol, which is a more recent and, above all, more secure version of the better-known SSL (Secure Socket Layer) protocol.
When HTTP flows are encapsulated in the TLS protocol, this guarantees both the confidentiality and integrity of communications from the server to the connected client workstations, while ensuring their authentication. All parties involved can rest assured that the information exchanged cannot be faked: the website being consulted is indeed the one you expect to see, and Internet users can provide their credit card number and/or personal information with complete peace of mind.
Against a backdrop of proliferating cyber threats, it's clear that the widespread use of secure web connections is a positive trend, both in the private sphere and for businesses. But IT security specialists are not mistaken: if data flows are encrypted, they can of course present hidden risks! Indeed, hackers can try to hide their malware in them, and certain HTTPS URLs can of course be malicious. This is why it is now essential to enhance your traditional security devices to decrypt these flows and check that there are no threats inside...
HTTPS filtering: essential TLS/SSL decryption
To address these hidden risks and help organizations protect their information systems, ANSSI has drawn up a number of recommendations. However, since theTLS protocol provides security and confidentiality for exchanges, "breaking" this protection is not necessarily technically straightforward, or devoid of legal obligations...
Of course, whitelisting, which only authorizes browsing to URLs that have been recognized and qualified in advance, would be an excellent way of protecting against potential threats, but it is not necessarily applicable in all sectors of activity. It is therefore sometimes necessary to decipher...
To guarantee secure communication, the mechanism used in an HTTPS exchange relies on authentication using a certificate associated with the website, which the client's browser will verify, and on the exchange of public and private keys. The public key (accessible to all) is used to encrypt data, while only the private key is used to decrypt it.
In order to intercept this secure communication, the web security gateway has to resort to the MITM or "Man in the Middle" technique, validating the certificate itself and establishing a connection where it impersonates the user. The web security gateway will then re-establish communication using the set of certificates, without breaking the security chain: the user continues to access the website securely, but the gateway can verify the nature of the content exchanged. To do this, it must integrate an HTTPS (SSL) decryption package, as offered by Olfeo.
The aim is obviously to block any threat as early as possible, before it reaches the end-user's workstation, which is increasingly the target of cybercriminals. It is also essential to develop a better security culture among end-users, and change their behavior.
The limits of SSL decryption and HTTPS content filtering
HTTPS filtering and SSL decryption obviously raise issues of technical optimization, rights and obligations. The first requirement is obviously to guarantee the highest level of security and confidentiality around the web security gateway, which will be handling data that is normally encrypted and therefore potentially confidential.
Secondly, SSL decryption consumes machine resources, so it's good practice to make exceptions for certain traffic streams, such as authorized business software. This allows you to concentrate your decryption efforts on other types of traffic, such as YouTube, social networks, webmail, etc.
Indeed, decrypting these flows is sometimes essential in view of the company's obligations in terms of legal and cultural compliance when surfing the Internet: YouTube videos may offer tutorials on how to make homemade grenades, or give access to very violent images, and this type of browsing cannot be accepted in the company. On the other hand, it is also forbidden to decipher flows linked to browsing on certain websites, for example when a user visits the website of his bank or insurance company, or accesses the AMELI portal, since personal data may then be exchanged...
The legal compliance requirements for SSL decryption are therefore crucial, and are expressed in the ANSSI technical note. You need to make sure that your proxy complies with these requirements, as we do at Olfeo.
HTTPS filtering: the indispensable integration of standalone proxy with UTM
Finally, if your HTTPS filtering strategy is to be truly effective, you need to choose the right tools, and not rely solely on the UTM (Unified Threat Management) and/or the Firewall for SSL decryption. In fact, we know today that SSL decryption on a Firewall can represent a performance loss of up to 74% (NSS Labs, John W. Pirc, Significant SSL performance loss leaves much room for improvement), so it's essential to add a stand-alone Proxy to your Firewall.