Organizations from every sector of all shapes and sizes recognize the value of keeping communications across the internet private. However, wrapping protocols like HTTP, RTP and FTP with TLS, although great at securing user-to-resource access, can also potentially provide a route for malware, hackers and illicit content to bypass scrutiny by IT.
Infosec teams have weapons in their arsenal that allow them to peer into encrypted traffic to ensure that it is both safe and in line with governance polices, but there are a host of technical, legal and ethical issues to be considered.
Encryption of digital communication has been around for several decades, but it is only in the last few years that it has really started to become a default position for most websites and web services. According to recent research by security expert Scott Helme, just over half of all of the one million most visited websites now use HTTPS. Yet there are some major sites and a huge number of non-commercial sites that still communicate using plain text.
As to why anybody would not want to use encryption falls into two camps. The first is a lack of awareness as to the benefits and the other is due to the perceived complexity in enabling it. Organizations like the Internet Security Research Group (the backers of Let's Encrypt) and Electronic Frontier Foundation have made great strides in dispelling these misconceptions.
For organizations that handle personally identifiable information or special category data (as defined by the Information Commissioners Office) like healthcare and financial services, or those that have a duty of care such as schools or colleges, encryption is effectively mandated for all user-to-service communication.
This trend is further enforced by massive internet services such as Google that insist on HTTPS – and even the latest Chrome browser builds offer “not secure” warnings for anybody attempting to visit a site without HTTPS.
However, encrypted traffic makes it harder for organizations to ensure that users are not breaching internet access policies, and to stop other illicit activities such as P2P file sharing of copyright material. Encrypted communication is also increasingly used by malware to communicate with remote handlers to potentially exfiltrate stolen data.
In response, many organizations deploy a dedicated web proxy device or next generation firewall at the boundary between the corporate network and the wider internet which acts as a termination point for encryption that allows inspection of all traffic. This inspection can be used for web filtering such as removing access to adult sites or social media, alongside added benefits like scanning traffic for malicious content and blocking access to sites with out of date ciphers.
However, the process of SSL Inspection or TLS/HTTPS Interception by its very nature breaks the secure channel between parties communicating across the internet. The proxy in the middle of the communication, and by extension the IT department, can now examine all traffic. However, to achieve this requires the IT department to install its own certificate on the user’s device.
If this is a device issued by the organization or if a certificate is required to gain internet access, then the user effectively agrees to this level of supervision.
Being able to detect and block dangerous or illegal content from users where there is a duty of care or corporate requirement is vital. However, this brings up an ethical question. Although IT departments are implicitly trusted, there are rogues in every organization and balancing the needs for governance and privacy is more complex than the technical hurdles.
The answer can be found in defining, enacting and supervising a transparent internet access policy. Organizations must inform users that it is carrying out decryption and explain why this is required. The policy must also state what types of internet access are not permitted while using the service. However, the policy should not decrypt sensitive topics such as healthcare and banking and there are ample whitelists that can be fed into inspection engines to avoid examining this type of traffic.
It is also essential to enable decryption for not just outbound, but also inbound traffic, to where organizations are publishing websites and services to the internet. This reverse proxy inspection of traffic can prevent attackers from exploiting vulnerabilities that might not otherwise be detected.
Be mindful of edge cases where decryption is not possible out of the box due to client software with enforced keychains which will require administrative remediation. Another area of concern is BYOD, where employees or users, such as students, will need to give consent for certificates to be placed on devices for decryption to take place.
The legal position around decryption is still vague. In a landmark 2016 test case, the European court of human rights said that organizations had to exercise a “fair balance” between an employee’s right to a private life and the employer’s right to ensure that corporate rules were followed, and security was not compromised.
With the widespread availability of 3G/4G networks, often an organization’s safest course of action is to mandate through employment contracts that all personal internet access and usage should be across smartphones and mobile networks that are outside of the control of the organization. For the Infosec team tasked with decryption, it is always best to get HR involved in the process as early as possible.