The Mixed Blessing Of Enforced HTTPS

By Geraldine Osman, EMEA Marketing Director at Barracuda Networks In a move that analysts expect will markedly improve the general security of the internet, Google has announced that...

By Geraldine Osman, EMEA Marketing Director at Barracuda Networks

In a move that analysts expect will markedly improve the general security of the internet, Google has announced that it will be boosting the search rankings of sites using HTTPS.

Websites that continue to transport passwords in plaintext (and there remain some large and popular offenders) will be effectively forced to comply with best practice on pain of Google penalisation, and man-in-the-middle attacks that affect internet users will decrease.

But MITM attacks aren’t the only threat facing the web, and the widespread introduction of HTTPS will present a new set of responsibilities and hazards to your systems’ integrity. HTTPS essentially provides a secure container in which important data can be transported – the data is definitely sent to the right place, unharmed, encrypted and in good condition. But there’s no way of ensuring it’s the right data in the secure container, nor is there any guarantee that the data you remove from the container will be what you wanted.

Baddies wearing your uniform

HTTPS can be problematic in terms of perimeter security. Because the data within the secure container is encrypted, it’s impossible for conventional perimeter security solutions – systems like IDS/IPS and firewalls – to accurately guage whether the incoming data is malicious or not. HTTPS effectively gives criminals, hackers and vandals a way of escaping detection if they want to target your servers.

Indeed, the same applies in reverse. Your systems can’t discern the nature of the data within these secure containers, and nor can your users’ – malicious exploits could target your customers, whose security won’t be able to detect them thanks to your HTTPS.

This problem is compounded by the little padlock icon that appears when a site is connected to using HTTPS. Your site visitors will enjoy a false sense of security, assuming that they are safe from all threats. Ironically, a transition from HTTP to HTTPS using non-proxy security solutions may in fact damage your security rather than improve it.

If your name’s not down…

As with a border post, the security systems in place must (at the very least) include a blacklist – a list of individuals who can’t be let through the checkpoint. Even more secure would be a whitelist – a list of all the individuals who can enter through the checkpoint.

One solution is a proxy-based that can not only open the secure containers and investigate the contents, but can keep out the malicious data using SSL offloading. This involves the proxy decrypting the HTTPS traffic and then communicating its findings with the protected servers using HTTP or through encrypted means. SSL offloading is an important tool in other contexts.

Keeping application security current often necessitates rewriting of legacy web applications on-the-fly. This could involve injecting response headers of HSTS (HTTP Strict Transport Policy) and clickjacking prevention, preventing CSRF by injecting randomised tokens, cooking encryption and more.

It’s important to look ahead and understand that attackers may become more sophisticated, and that current data could be compromised in the future. Your HTTPS traffic, if captured today, could be decrypted in the future by criminals equipped with more advanced hardware. Perfect Forward Secrecy – PFS – renders IPDS and span port based application proxies useless, since they can’t actually decrypt the PFS communication.

Non-security benefits

Nobody wants a message on Google stating that their site could infect a user’s computer with malware. For most companies with a significant web presence, it’s precisely the kind of thing that could cost an enormous amount of revenue. The precipitous fall from grace (and search rankings) that would result from a breach of any sort could be disastrous for the reputation of your organisation, whether your systems are equipped with HTTPS or not.

 

For more information on Barracuda and their products, click here.

In this article

Join the Conversation