Private, But Not Secure: HTTPS is Hiding Cybercrime
22.9.2017 Securityweek CyberCrime
Encrypted communications have boomed in popularity in the aftermath of the Snowden leaks in 2013, which has ironically opened up a new pathway for cybercriminals. Since those fateful revelations years ago, the world has witnessed a sharp increase in encrypted web traffic—reaching half of all global traffic at the beginning of this year and zooming past more than 65 percent this past May, according to published browser statistics from Chrome and Firefox.
While web site operators of all stripes have shifted to SSL encryption, malware authors have also followed suit. Every major ransomware family since 2015 has been distributed at some point via HTTPS, including Petya, Locky and Jigsaw. My team recently dug into our mass of threat data and found that 36 percent of global malware is using SSL encryption—still lower than the overall share of SSL in web traffic, but a significant number and a startling increase. In 2013 Gartner pegged the same statistic at “less than 5 percent,” and an NSS Labs study that same year found that less than one percent of malware was using SSL.
The fact is, despite that growth, most businesses today are not inspecting their HTTPS traffic for threats. A pair of Osterman Research studies in the past year have shown that the adoption of SSL traffic inspection is low and varies greatly from region to region. For instance, a survey this past February revealed that only 19 percent of UK organizations are applying security to SSL traffic, while in the US a study pegged the number at a bit over 50 percent, meaning nearly half aren’t. Regardless of the geographical variations, this translates into vast numbers of organizations leaving themselves vulnerable to a significant proportion of threats today.
The massive shift of the majority of web use to SSL encryption has become a double-edged sword. While it increases users’ privacy, it can create blind spots in many organizations, where malware in the HTTPS channel is essentially hidden from most web security tools. And as companies such as Google boost search rankings for sites that use HTTPS (and punish those who don’t with “not secure” warnings), the volume of encrypted traffic will continue to grow at escalating rates. The launch of the free SSL certificate authority called “Let’s Encrypt,” which launched just last year, has no doubt contributed to the recent run-up.
It’s clear that many IT administrators underestimate this threat by failing to implement inspection. But looming larger than those concerns is the fact that many companies still don’t recognize SSL inspection as the basic necessity it has become. For all the laudable motives which have made SSL encryption the new normal for web transport, I’m convinced those green padlocks and SSL certificate marketing icons that say things like “100% Secured Website Guaranteed” and “100% Secure Connection” have sown confusion around what SSL does and does not do. While SSL encryption protects from criminal eavesdropping and man-in-the-middle attacks, it does not enforce any security standards beyond encryption and authentication. This means that SSL may guarantee the integrity of the data in your connections, but that includes the delivery of cyber threats. HTTPS guarantees privacy, not security.
Ignorance is evidently not the only reason some have not yet implemented such inspection, sometimes citing a lack of available tools and personnel, increased costs, a concern over the gateway performance degradation that full inspection can bring with it, or privacy concerns. But those explanations don’t change the fact that if a company is not inspecting HTTPS traffic today for threats, it’s security has developed a very large—and growing—gap. Inspection of HTTPS traffic is really no longer optional.