A recent report by Sandvine, a networking equipment company based in Ontario, Canada, shows that encrypted SSL network traffic has been rapidly growing. SSL encrypted traffic in North America, for instance, grew from 2.29 percent in 2013 to 3.8 percent in 2014, while Europe’s encrypted SSL network traffic usage grew from 1.47 percent to 6.1 percent over the same period, according to Sandvine.
SSL (Secure Sockets Layer) establishes an encrypted link between a server and a browser. When you visit a website with SSL, the site’s SSL certificate allows you to encrypt the data you send, according to security firm Symantec. Information sent over the Internet that’s typically encrypted includes credit card information, names or addresses.
Issues with SSL Encrypted Traffic
While most organizations today use SSL to secure traffic between multiple locations, the truth is that upgrading websites and applications to support SSL can take considerable effort, says Intel, a multinational technology company. “SSL is computationally intensive, and requires the server CPU to spend a considerable number of cycles encrypting and decrypting traffic,” the company says. “This negatively impacts the response times and latency that the user experiences.”
In addition, security issues begin to mount as SSL traffic rapidly increases. These challenges include the ability of security devices to inspect SSL traffic effectively, according to information security firm NSS Labs. With the rise in the use of HTTPS – and social media applications and search engines enabling SSL by default – blind spots can emerge that could possibly reduce security on corporate networks, since network security products and other defenses may not be able to monitor SSL traffic, NSS Labs says.
As it relates to malware, although only a small percentage of malware attacks are designed to attack using SSL, they can pose significant risks to an organization. “As more
[cyber-attackers] decide to use SSL/TLS for both delivering malware and as a call back to a command and control server, we are going to be blind to the attacks,” says John Pirc, Research Vice President at NSS Labs.
The Heartbleed Bug
But nothing to date has helped to show the widespread usage of SSL across the Internet – and the vulnerability to those dependent on it – than the disclosure of The Heartbleed Bug, a serious vulnerability in the popular OpenSSL cryptographic software library. The bug allowed for the stealing of information protected by the SSL/TLS encryption used to secure the Internet.
“The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” according to security firm Codenomicon, which discovered the bug. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”
The bug allowed attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
For further information on The Heartbleed Bug and how you can protect yourself, please visit this website.