{"id":7085,"date":"2017-03-23T05:00:02","date_gmt":"2017-03-23T13:00:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/23\/news-876\/"},"modified":"2017-03-23T05:00:02","modified_gmt":"2017-03-23T13:00:02","slug":"news-876","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/23\/news-876\/","title":{"rendered":"The S In HTTPS"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Thu, 23 Mar 2017 12:00:37 +0000<\/strong><\/p>\n

\"\"<\/p>\n

If you\u2019ve ever bought anything online, checked your bank accounts through the app, or logged on to your favorite social media network, you\u2019ve used a technology called SSL\/TLS<\/a>. The S<\/b> in HTTPS<\/b>.<\/p>\n

SSL\/TLS (just to keep it simple, I\u2019ll refer to as SSL) is the technology used to encrypt the communication between your browser and the site you\u2019re visiting.<\/p>\n

This is crucial to ensure that malicious actors\u2014like hackers and cybercriminals\u2014don\u2019t see the contents of your web traffic.\u00a0But like anything to do with cryptography and encryption, there\u2019s a lot of confusion and misunderstanding.<\/p>\n

How Do You Know?<\/h2>\n

As a user, you rely on your browser to indicate whether a site is safe or not. This includes a number of things like checking to make sure it\u2019s not hosting malware, running malicious javascript, and\u2014for secure sites\u2014that the connection is encrypted.<\/p>\n

Sadly, due to the complexities of encryption, checking to see if a connection is valid has boiled down to some combination of the traditional lock icon, a green URL\/address bar, and the word “secure.” Most browsers also take things a step further and highlight when you\u2019ve landed on a page where the browser can\u2019t verify the encryption.<\/p>\n

But what\u2019s happening in the background? What makes a site show as secure?<\/p>\n

Certificates<\/h2>\n

A site that uses HTTPS to deliver content uses a digital certificate to help confirm its identity. A digital certificate contains a lot of information that can be summed up as two really, really big prime numbers (one private, one public) and data that\u2019s designed to help you trust those two numbers.<\/p>\n

The numbers are used for a technique called a key exchange<\/a>. This is a really interesting mathematical process that lets two entities (in this case, you and the site you\u2019re visiting) create a shared secret over a public channel (the internet).<\/p>\n

The rest of the data is designed to help you and your browser verify that the site you\u2019re visiting is in fact the site you intended to visit. This is accomplished through a chain of trust<\/a> that includes the certificate for the site you\u2019re visiting, a certificate authority<\/a>, and a root certificate trusted by your operating system or browser.<\/p>\n

A chain of trust works just like it sounds. The root certificate is verified by a big organization, typically Microsoft<\/a>, Apple<\/a> or Mozilla<\/a>. In turn, they issue signing certificates to a group of certificate authorities. These are the organizations that either sell or give away certificates<\/a> to site owners.<\/p>\n

Site owners prove to the certificate authority that they own the site in question and then get a certificate to use with you, their user.<\/p>\n

\"\"<\/p>\n

SSL\/TLS certificate trust chain diagram<\/p>\n<\/p><\/div>\n

Weakest Link?<\/h2>\n

When you visit a secure site, your browser gets the digital certificate from the site in question\u2026say example[.]com. The certificate says that it was issued from CA01. Your browser knows CA01 and trusts it because it\u2019s on the list from MicrosoftApple<\/i>Mozilla.<\/p>\n

After checking with CA01, your browser knows that the certificate it got from example[.]com checks out. This results in the lock icon\/green URL in your browser.<\/p>\n

Now this system isn\u2019t foolproof. An attack could hijack the name example[.]com and use another certificate that\u2019s just as valid but it\u2019s unlikely. As with any security system, there are tradeoffs in HTTPS, but the balance struck here is a reasonable one.<\/p>\n

Except when someone puts their finger on the scales\u2026<\/p>\n

US-CERT Alert<\/h2>\n

Recently the US-CERT (an organization that helps educate users about potential digital security issues and current threats) issued an alert (TA17-075A<\/a>) meant to highlight issues with a security control often deployed by enterprises.<\/p>\n

Surfing the web over an encrypted connection is great for users, but it can lead to some challenges in a corporate environment. As much as banks and apps are using encryption to help users, cybercriminals are also using it to harm users.<\/p>\n

When you\u2019re setting up the defences for your enterprise network, it\u2019s not uncommon to deploy technology to intercept<\/b> HTTPS connections (typically using a web gateway or outbound proxy<\/a>). The goal here isn\u2019t (usually) to snoop on your users, but to make sure that you can block malware and other malicious content.<\/p>\n

To do this, the interception technology adds another link to the chain of trust.<\/p>\n

\"\"<\/p>\n

SSL\/TLS certificate trust chain diagram with interception<\/p>\n<\/p><\/div>\n

[This technology has been available for quite a while and\u00a0<\/i>full disclosure\u00a0<\/b>is warranted here, Trend Micro offers products in this category.]<\/i><\/p>\n

US-CERT raised the alert based on some recently released research<\/a> from Carnegie Mellon University (CMU). In this study, they looked at a number of products in this category and found that there are some significant issues that could make users less safe while surfing.<\/p>\n

Interception Issues<\/h2>\n

We\u2019ve already seen that there\u2019s a lot of complexity required to show that simple lock\/green URL to the user. The CMU study shows that when an interception technology is in play, that simple indicator can be deceiving. It can show users that their surfing is secure when it actually isn\u2019t and that\u2019s the last thing that users or IT security teams want.<\/p>\n

CMU sites seven specific issues in their study, but they essentially stem from one particular issue.<\/p>\n

\"\"<\/p>\n

SSL\/TLS certificate trust chain diagram with interception and issue pointed out<\/p>\n<\/p><\/div>\n

The interception tools either don\u2019t gracefully handle certificate validation errors or don\u2019t validate them at all. Ouch. That defeats the entire trust<\/i> part of the chain.<\/p>\n

Next Steps<\/h2>\n

The US-CERT advisory recommends testing any interception solution against https:\/\/badssl.com\/<\/a>. That\u2019s a fantastic tool that lets you see how your browser handles various SSL\/TLS issues. With the interception tool in place, try each of the scenarios and ensure that they\u2019re properly handled.<\/p>\n

Furthermore, if you\u2019re rolling out interception technology here are some concrete steps to make it as smooth as possible:<\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  1. Test the tool against https:\/\/badssl.com\/<\/a> before deploying it to production<\/li>\n
  2. Whitelist trusted sites like major banks & financial institutions<\/li>\n
  3. Have a strong communications plan that clearly explains the how and why to your user community<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Interception technology can help defend your enterprise from malware and cybercriminals, but it\u2019s not without potential issues (as shown by the US-CERT alert<\/a>). This is a case where a little planning and forethought can go a long way.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Thu, 23 Mar 2017 12:00:37 +0000<\/strong><\/p>\n

\"\"If you\u2019ve ever bought anything online, checked your bank accounts through the app, or logged on to your favorite social media network, you\u2019ve used a technology called SSL\/TLS. The S in HTTPS. SSL\/TLS (just to keep it simple, I\u2019ll refer to as SSL) is the technology used to encrypt the communication between your browser and…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10422,10439,714,10752,11716],"class_list":["post-7085","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-current-news","tag-encryption","tag-security","tag-vulnerabilities","tag-web-threats"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7085"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7085\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7085"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}