Debating SSL Decryption in 2024
- Tony Mattke
- Security
- February 16, 2024
Yet another day brings another meeting about another security product recommending SSL Decryption at our network edge. Your Intrusion Prevention System (IPS), your web filter, the damn packet broker—they all want decrypted traffic to function at “optimum efficiency”. I’ve always opposed this, even CISA (previously US-CERT) issued a notice in 2016 advising the community against breaking the trust chain. But, this new interaction got me thinking… It’s 2024, and 95% of internet traffic is now encrypted. This poses a significant challenge for detecting and mitigating threats hidden within encrypted traffic. So, the question arises: should we consider breaking the trust chain?
There have been several studies which highlight the risk associated with HTTPS interception, a process where encrypted traffic is decrypted, inspected, and then re-encrypted by security products. This method is intended to allow organizations to scan for malicious content within encrypted traffic. However, this breaks the end-to-end encryption provided by protocols like TLS, potentially weakening the security it aims to bolster. These products often fail to properly verify the server’s certificate chain before re-encrypting and forwarding client data, opening up the possibility of man-in-the-middle (MitM) attacks. Furthermore, these products might not convey certificate-chain verification errors to the client, leading users to believe they are securely connected to the intended server when, in fact, they are not. This makes the entire proposal a double-edged sword.
My take
In my opinion the best place to look at this traffic is at the endpoint, not at the edge. Endpoint security has certainly been gaining traction over the years as experts recognize that the endpoint is often the final battleground where threats manifest. By focusing there, organizations can ensure a more direct and effective approach to security that aligns with modern work environments, including remote work and BYOD policies. This allows security professionals the peace of mind of being able to inspect SSL traffic, without having to hijack your traffic with a self-hosted MitM attack.
Conclusion
As the use of encryption increases, the security community faces the challenge of balancing privacy needs with the necessity to detect potential threats. HTTPS interception provides a solution but also brings substantial risks that require careful consideration. The future of cybersecurity strategies will likely focus on improving endpoint security and creating new technologies that can ensure the security of encrypted traffic without breaking the trust chain.
