Saturday, July 20, 2019

Organizations in Bahrain Need to Beware of SSL Decryption

Secure Sockets Layer (SSL) is everywhere. Today, many of the most popular websites leverage encryption to keep data secure and private. On top of that, other applications such as email, instant messaging, and FTP use SSL or its successor TLS to encrypt traffic. Need proof that SSL is ubiquitous? According to Sandvine, two thirds of Internet traffic will be encrypted by 2016.[1]

Glen Ogden, Regional Sales Director, Middle East at A10 Networks  says that when organizations start encrypting application traffic, they often encounter obstacles such as performance degradation on their application servers. Encryption has other, more serious, ramifications; it makes network security tools blind to application traffic. Security solutions like next-generation firewalls, intrusion prevention, and advanced threat protection platforms cannot inspect packets and mitigate threats when traffic is encrypted.

To solve this issue, organizations can deploy SSL inspection platforms to decrypt SSL traffic and forward it to third-party security devices for analysis. For outbound traffic, organizations own the end points but not the SSL certificates and keys. An SSL inspection platform can decrypt traffic when configured as a transparent forward proxy or an explicit proxy.

Protecting Corporate Servers
Decrypting inbound traffic destined to internal application servers is different than decrypting outbound traffic because organizations own the SSL keys. There are two main ways to decrypt inbound SSL traffic sent to internal servers:

  • Reverse proxy mode: SSL traffic is terminated on the SSL inspection devices and sent in clear text to inline or non-inline security devices. This mode is also referred to as “SSL Offload.”
  • Passive non-inline or inline mode: SSL traffic is decrypted using a copy of the server SSL keys. SSL traffic is not modified by the SSL inspection platform except—potentially—to block attacks.

In reverse proxy mode, the SSL inspection platform can potentially also accelerate SSL performance and load balance servers.

In passive non-inline mode, the SSL inspection platform can be installed transparently without needing to update network settings. However, in passive non-inline mode, organizations cannot easily block attacks. Although organizations may be able to send TCP resets from non-inline devices, this is a best-effort approach and will not effectively block all attacks, including single-packet attacks.

However, the biggest flaw with passive mode is that it does not support strong encryption methods like Perfect Forward Secrecy because the SSL inspection platform does not actively participate in the SSL key negotiation.

Why should you care about Perfect Forward Secrecy (PFS)? Many organizations are transitioning to PFS because:

  • PFS ensures that if an SSL key is compromised in the future, that criminals or government organizations cannot decrypt the data. Each session has its own unique key, so each individual session must be cracked—which is a nearly impossible task.
  • PFS mitigates many types of SSL vulnerabilities. For example, with the notorious Heartbleed bug, if an SSL private key is compromised, hackers cannot monitor and decrypt communications. This is because each SSL session is encrypted with a unique session key.

Leading SSL proponents like the Electronic Frontier Foundation (EFF) are urging application owners to switch to Perfect Forward Secrecy. And many organizations are heeding their call. Web properties such as Dropbox, Facebook, Google, LinkedIn, Microsoft Outlook.com, Twitter, Tumblr, Yahoo and more now use PFS.

Unfortunately, organizations in Bahrain that deploy an SSL inspection platform that only supports passive mode will be hamstrung—unable to implement strong security ciphers like Elliptic Curve Diffie Hellman Exchange (ECDHE) without breaking their SSL decryption architecture. SSL inspection platforms deployed in passive non-inline mode are a security epic fail.

 

MOST READ

Bahrain Red Crescent Society sends volunteers to a training camp in Italy

Bahrain Red Crescent Society (BRCS) sent a number of its volunteers to participate in the "Youth Camp for Relief and Humanitarian Work", which was...

A Cat & Coffee Corner in Catopia

Cat cafes have been around since 1998, but Bahrain’s first cat cafe opened in this February bringing in warm and fuzzy feelings across the...

VIVA Bahrain launches a portfolio of VAT ready software solutions for SME

VIVA Bahrain has introduced an extensive portfolio of software solutions, designed to enable businesses to accelerate their performance and growth. The new VIVA e-suite...

Bahrain This Week For a Green Bahrain!

The 765.3 square kms island country, has recorded the hottest January and hottest June in Bahrain over a century in 2019. As the Summer...

Whindersson Nunes to attend BRAVE 24: LONDON

YouTuber and comedian Whindersson Nunes will attend the historic BRAVE 24: London event, on July 25th, as he will take his millions of followers...

Science Fests in the UAE go beyond Science to Immersive Learning

Schools Build “Classroom of The Future” with Immersive Learning Experience rooted in Science. The recent “Hope” to Mars has raised new hopes of transformation at...

Essential Oils and Their Benefits for Your Skin

Essential oils are a great way to improve the vitality and appearance of the skin. Many essential oils have natural properties that benefit skin...

Varicose Veins by Dr. Bashar A. Saleh

What are varicose veins? Varicose veins are twisted, enlarged veins near the surface of the skin. They are most common in the legs and ankles....

Yoga for teenagers By Neelanjana Bharadwaj

Teenagers are generally a confused lot as neither are they kids anymore and neither are they adults. In fact with the hormones raging they...

Jaguar Land Rover Bahrain Marketing Wins Four Retail Marketing Awards at the 2018/19 Jaguar Land Rover MENA Retail Marketing Awards

Euro Motors Jaguar Land Rover strongly positioned itself as the leading marketing specialist by once again receiving multiple awards at the acclaimed 2018/2019 Jaguar...

Global Top Sales Consultant Club 2019

Hyundai honored Hyundai's best sales staff under the title Global Top Sales Consultant Club 2019 for all its distributors worldwide, with a trip to...

Huawei Launches The Mate 20 X 5G Smartphone In Bahrain

Marking the start of the 5G era, HUAWEI’S highly anticipated Mate 20 X 5G has finally arrived in Bahrain and is now available for...

Farmers’ Market at Saar Mall

It is difficult for the Bahraini farmers to sell their products in this hot season. Inspired by the concept of Budaiya’s Farmer’s Market, the...

Brazil aims to develop tourism and economy through BRAVE CF

A delegation from the Brazil government travelled to Bahrain last week to help close a long-term deal with BRAVE Combat Federation for the Bahraini...

Bahrain India Society Hosts BDB – The Entrepreneurs Bank

BDB, Bahrain Development Bank reveals the total amount of cumulative financing done by bank is BD 592 million since it commenced operations in 1992. Last...