SSL Breaks Bad: A Protective Technology Turned Attack Vector
It’s an unfortunate reality that things meant to do good can and do get misused for harm.
Consider the myriad stories around criminals using Google maps street view as a way to “case” a target, or how 3D printers are being used to produce unregistered guns. The use of technology being for good or for evil in reality has as much to do with the perspective of the user than anything else.
The same is true in the information security space, where there is a litany of examples tied to Distributed Denial of Service (DDoS) attacks leveraging various elements of network infrastructure to be turned into a “weapon” of sorts. Many are beginning to discuss the potential of the billions of devices expected to come online as part of the Internet of Things (IoT) movement to be turned into a mega-bot of sorts to launch similar attacks.
When Good Technology Turns Bad
In the DDoS realm there is another major, and more immediately relevant, example of good technology turned bad… Secure Sockets Layer (SSL) or encrypted attacks. If you’re reading this you almost certainly understand the history of SSL, the standard for securing communications to drive increased trust for online interactions. Increasingly, however, SSL is being used to mask and further complicate attack traffic detection in both network and application level threats.
According to Radware’s 2015 Global Network and Application Security Report, as much as 25% of attack activity today is using SSL-based attack vectors.
The Challenge of SSL Attacks
SSL attacks are particularly virulent for a few reasons. First, they significantly complicate the process of identifying attacks and differentiating them from legitimate, encrypted traffic. Secondly, the actual mitigation of SSL attacks (when they can be identified) requires significantly more computational power for processing encrypted traffic. This is why most technology solutions struggle significantly to manage this type of attack. Many cannot handle the challenges of detection and even fewer are engineered to manage the exponential demands of SSL attack mitigation and processing, without the battle having an impact on their overall performance.
Finally, many require a compromise of some kind with regard to SSL certificate management in order to comply with the demands of processing encrypted traffic. For instance, if a user has to adjust security protections every time an application certificate is modified, this quickly becomes an unmanageable requirement for most security teams.
There has been a push by Internet users, privacy advocates, and technology providers alike to stimulate broad SSL end user adoptions. According to Internet security researcher Netcraft, the use of SSL by the top one million websites has increased by 48% over the past two years. Other initiatives, such as the “Let’s Encrypt” project is launching a new, free certificate authority in an effort to move more users over to encrypted online communication and commerce.
What Can You Do?
At Radware, we see SSL attacks as one of our industry’s most significant challenges going forward, given the complexity of the vector and the dramatic rise in the general use of encryption. If you’d like to learn more about the subject, we recently completed an eBook on the subject of SSL attacks, including providing specifics on various types of SSL attacks, as well as strategies for effective protection.