- NG Firewall
Solutions by Industry
Solutions by Issue
The majority of web traffic is now encrypted. Looking at yesterday’s web traffic on an anonymized, semi-random subset of the Untangle fleet deployed in the real world, about 65.6% of all web traffic was SSL encrypted. (Sample size: ~170 terabytes, ~10000 organizations)
Looking at the Untangle reports for an individual site can show the continued adoption over time. Below shows a single site percent SSL vs non-SSL web traffic by day through the past year.
If we look at other protocols, we see the same trend at varying levels of adoption. Using the same dataset as above (yesterday’s anonymized data of ~170 terabytes of ~10000 organizations), 83.1% of IMAP email traffic is now SSL encrypted.
POP3 lags behind at 35.4% SSL, but is SSL adoption increasing (yet POP3 usage on the whole is declining). SMTP usage has been clear-text for ages and is now finally starting to see some real growth in using SSL to protect SMTP.
At this rate, the huge majority of content sent over the network will be encrypted with SSL. As a thought exercise, let us assume 100% of application layer content is SSL encrypted. What does this world look like?
Traditional intrusion prevention rules are not very useful. 88% of our ruleset relies on the “content” match which will be useless in an SSL world. Gateway antivirus is useless because it relies on access to the content to evaluate if the content is malicious. Antispam is very difficult at the network layer because the content cannot be evaluated.
It is not all bad news though! Web filtering is still possible, just not at the very granular level that it was before encryption. Application Control can still identify the application and, in some ways, is even easier because it has the certificate from which to derive information. Many reputation-based security technologies are even better in this world because the certificate provides a way to verify authenticity and provide identification of the organization from which the reputation can be derived.
Long-time Untangle users can look at their own data and see this effect. You will likely see many more blocked accesses to malware sites based on reputation via Web Filter than you will see accesses blocked based on content scans in Virus Blocker.
SSL adoption will force network security vendors to shift to non-content based security approaches. While this trend may be obvious, we are often seeing the opposite. Many vendors are investing in network sandboxing in an effort in increase the efficacy of the antivirus engine––which is already not relevant at the network level and is becoming less so over time.
But wait! Won’t SSL inspection, also called man-in-the-middle or MITM, allow us to inspect SSL traffic as if it were unencrypted and give us full visibility to the content? Indeed it does. SSL inspection transparently decrypts and then re-encrypts SSL traffic so that things like antivirus and antispam can scan the content.
The problem with SSL Inspection is that it very difficult to deploy in the real world. SSL inspection requires adding a new certificate authority (CA) to the device. In some scenarios, like a school adding the CA to devices that it owns, SSL inspection can work great.
Outside of scenarios like this, SSL inspection can often be more of a headache than it’s worth. Why?
Given these issues, many administrators simply abandon the effort. We are currently seeing less than 10% adoption of SSL inspection amongst Untangle customers.
However, the biggest issue facing SSL inspection is Google. As mentioned earlier, Google is one of the key drivers of SSL adoption. Now with Android Nougat (7.0), Google is making it very difficult for even administrators to add CAs to the root store on the device, making SSL inspection essentially impossible for these devices.
The purpose of SSL is to authenticate and encrypt, and SSL inspection essentially negates this purpose. I believe that it is one of Google’s missions to encourage SSL adoption so that users can safely connect to their service from anywhere without interference. For the record, I agree with this. SSL inspection, while it does have useful security applications, is also something that is likely to be abused. We need SSL to work for a safe and free internet. If Google continues down this path, and I believe they will, then SSL inspection is not going to be a viable long-term approach to handle SSL.
The era of network security products being able to analyze clear-text application data is ending. Many of our old content-based technologies won’t be as useful.
Luckily, SSL adoption brings many new opportunities and can empower some of our existing security applications. More on that in future posts!