SSL Security Epic Fail: When Your SSL Decryption Solution Prevents Better Security

SSL Screen

SSL is everywhere. Today, many of the most popular websites leverage encryption to keep data secure and private. On top of that, other applications such as email, instant messaging, and FTP use SSL  or its successor TLS to encrypt traffic. Need proof that SSL is ubiquitous? According to Sandvine, two thirds of Internet traffic will be encrypted by 2016.[i]

When organizations start encrypting application traffic, they often encounter obstacles such as performance degradation on their application servers. Encryption has other, more serious, ramifications; it makes network security tools blind to application traffic. Security solutions like next-generation firewalls, intrusion prevention, and advanced threat protection platforms cannot inspect packets and mitigate threats when traffic is encrypted.

To solve this issue, organizations can deploy SSL inspection platforms to decrypt SSL traffic and forward it to third-party security devices for analysis. For outbound traffic, organizations own the end points but not the SSL certificates and keys. An SSL inspection platform can decrypt traffic when configured as a transparent forward proxy or an explicit proxy.[ii]

Protecting Corporate Servers

Decrypting inbound traffic destined to internal application servers is different than decrypting outbound traffic because organizations own the SSL keys. There are two main ways to decrypt inbound SSL traffic sent to internal servers:

In reverse proxy mode, the SSL inspection platform can potentially also accelerate SSL performance and load balance servers.

In passive non-inline mode, the SSL inspection platform can be installed transparently without needing to update network settings. However, in passive non-inline mode, organizations cannot easily block attacks. Although organizations may be able to send TCP resets from non-inline devices, this is a best-effort approach and will not effectively block all attacks, including single-packet attacks.

However, the biggest flaw with passive mode is that it does not support strong encryption methods like Perfect Forward Secrecy because the SSL inspection platform does not actively participate in the SSL key negotiation.

Why should you care about Perfect Forward Secrecy (PFS)? Many organizations are transitioning to PFS because:

Leading SSL proponents like the Electronic Frontier Foundation (EFF) are urging application owners to switch to Perfect Forward Secrecy. And many organizations are heeding their call. Web properties such as Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, Tumblr, Yahoo and more now use PFS.

Unfortunately, organizations that deploy an SSL inspection platform that only supports passive mode will be hamstrung—unable to implement strong security ciphers like Elliptic Curve Diffie Hellman Exchange (ECDHE) without breaking their SSL decryption architecture. SSL inspection platforms deployed in passive non-inline mode are a security epic fail.

To learn what features to consider when evaluating an SSL inspection platform, check out: The Ultimate Guide to SSL Inspection.

[i] Sandvine Global Internet Phenomena Spotlight, 2015

[ii] Learn more about outbound SSL inspection in the SSL Insight Solution Brief


Andrew Hickey
August 25, 2015

About Andrew Hickey

Andrew Hickey serves as A10's editorial director. Andrew has two decades of journalism and content strategy experience, covering everything from crime to cloud computing and all things in between. READ MORE