Skip to main content
banner image
venafi logo

Could Your Security Actually Make You Less Safe?

Could Your Security Actually Make You Less Safe?

February 14, 2017 | Scott Carter

Whenever a new exploit vector surfaces, security companies scramble to develop new approaches to stop cyber criminals from abusing it. Hmmm. Attacks that leverage encryption aren’t all that new. But internet security solutions still haven’t figured out the best ways to detect them. Granted, inspecting encrypted traffic is difficult because the tools that do SSL inspection don’t have key and certificate intelligence. But even that doesn’t explain why a new study found that many internet security solutions can actually make SSL/TLS connections less secure.

“As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic,” notes the report conducted by researchers from Google, Mozilla, and Cloudflare along with those from four U.S. Universities. This team of researchers tested major middlebox and antivirus products to determine the prevalence and impact of HTTPS interception. And the results were somewhat disheartening.

All but one middlebox solution “weakened connection security and introduced TLS vulnerabilities such as Logjam, weak export and RC4 ciphers, or didn't validate digital certificates properly,” reports iTnews.com.au. Of the 29 antivirus solutions tested, about half would intercept TLS connections. Sadly, only one of these did not reduce TLS connection security.

How do security solutions which attempt to detect and block harmful traffic actually end up reducing connection security? First, to look for malicious or disallowed content, the security solutions must intercept TLS connections before they can decrypt traffic. After their analysis is complete, the security solutions must then re-initiate the TLS connection. This process involves injecting their own certificates into web browsers or devices on an organization’s network.

The new certificates that security solutions inject may not adhere to the same stringent  standards that most organization impose on their own certificates. "Many of the vulnerabilities we find in anti-virus products and corporate middleboxes — such as failing to validate certificates and advertising broken ciphers — are negligent and another data point in a worrying trend of security products worsening security rather than improving it," the study concludes.

Given their lackluster performance, it’s fairly apparent that security vendors are still scrambling to catchup with the growth in attacks using SSL/TLS. “This new research shows security vendors are struggling, at best, and in the process they are introducing new vulnerabilities,” notes Kevin Bocek, VP of security strategy at Venafi. But it’s critical that security vendors get it right sooner rather than later. Analysts estimate that between 50-70% of network attacks will use seemingly trusted SSL to infiltrate, expand, and exfiltrate in the very near future.

How did we get into such a pickle? Bocek observes, “Almost all security systems were architected in the days when encrypted SSL/TLS made up small portions of network traffic. At that time SSL/TLS wasn’t being abused by attackers.” They simply were not engineered to inspect encrypted traffic. As a result, many of these solutions suffer from the inability to safely access an enterprise’s keys and certificates to inspect traffic safely. According to Bocek, “This must be a high priority for the entire security industry. Right now, our adversaries continue to win.”

Do you have enough visibility and control over your organization’s keys and certificates to make them safely available for decryption and inspection? 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat