Are Encryption Technologies Making Us Less Secure?
When visiting an unfamiliar website, many of us keep an eye out for the padlock icon in our browser’s address bar which tells us that a site is “secure”. Depending on what browser you use, this icon can mean a whole host of things, but it generally indicates that the site in question is using HTTPS – a secure version of the HTTP protocol used to access the web.
HTTPS relies on encryption technologies called “SSL” and “TLS” to encrypt communications between you and the website in question, even if you’re not sharing or viewing anything particularly sensitive. The increased uptake of SSL/TLS is undoubtedly a great move for online security as a whole, but things aren’t as simple as they seem…
What is Encryption and How Does it Aid Data Security?
Encryption is a very powerful way of concealing data from unauthorised prying eyes. Put simply, it’s when a party scrambles a piece of data using a specific encoding process, so only those with the means to decode the message can access its contents. If you don’t have the means to decode the message, all you see is scrambled gibberish.
The Enigma machine from World War II is probably the most well-known example of cryptography outside of digital encryption protocols. The Axis powers needed to send strategic messages to the front lines, but sending them in plain text would make them too easy to intercept. They used the now infamous Enigma machine to turn their messages into incomprehensible gibberish to everyone except those with a similarly configured Enigma device. They’d transmit the encoded message via Morse code to other Enigma operators who would be able to decode the message into plain text.
Nowadays, much more sophisticated encryption protocols are used to keep our online data safe from cybercriminals. Nobody wants their personal details or payment information floating around in plain text on the internet, so SSL and TLS encryption is used to conceal that data from unauthorised parties.
The Rise of SSL
SSL is a commonly used encryption protocol that keeps web users’ data secure while in transit. It establishes a strongly encrypted channel between the user and the website’s server (called “end-to-end” encryption) so no other parties can peek at the communication occurring between those two points. Understandably, this makes SSL and TLS invaluable in keeping us safe when we shop, bank, and otherwise transact with sensitive details online.
Going back to the late 1990s to early 2000’s, websites generally only used SSL on areas of their site where sensitive information was being transmitted – say, where you entered your delivery address or card details. However in 2014, Google started incentivising website owners to use SSL certificates site-wide – even on sites that don’t collect data at all – by giving those sites a small boost in their search rankings.
Google has since further incentivised SSL uptake through their Chrome browser. When a user visits a site that doesn’t use an SSL certificate, it will generally notify them that the site is “not secure” by way of a notification in the address bar. If the site fails other security checks, browsers like Google Chrome and Mozilla Firefox may try to stop you from visiting the page at all.
This focus on SSL/TLS (and encryption as a whole) has grown amidst a climate of increasing data privacy concerns. The uptake of SSL may be largely credited to Google, but it’s also part of an increasing culture of data protection worries, snooping threats, and high-profile cybersecurity scares. Bond’s yearly Internet Trends report states that 87% of web traffic was encrypted at the start of 2019, and we’ve no doubt that this figure will increase in coming years.
So that’s that, right? We’re all safer? Well, not quite…
How Does Encryption Make Us Less Secure?
Encryption and SSL are a truly positive move for online data privacy. But from a firewall perspective, it could be putting organisations at risk. Because SSL/TLS encrypts your traffic “end-to-end”, it creates an impenetrable tunnel between the website and the end user. If anyone tries to snoop in on what’s being communicated between those two points, they will just see nonsensical gibberish.
The job of a firewall is to inspect all data coming in to your network to ensure that no cybersecurity threats are making their way in – be they malware, hacking attempts, route injection attacks, or all manner of other cyber-nasties. However, it becomes incredibly hard for firewalls to inspect incoming data packets for threats when they’re encrypted. The firewall only sees the encrypted nonsense that any other kind of snooper would see.
Older firewalls especially struggle in this regard – they may be totally blind to the 87% of encrypted traffic that’s currently online.
The Development of the Modern Firewall
In the late 80’s and early 90’s, firewalls were little more than a list of which port activity and packet types to let in and which to turn away. The way they operated was fairly simple – “we know that bad activity generally travels in this way, so if you fulfil these criteria, you’re not getting in to our network”.
However, as internet use grew and the world wide web flickered to life, new protocols and emerging threats needed to be accounted for. More in-depth filtering practices became the norm – wherein the firewall could check the contents of each packet entering the network for potential threats; letting in the good packets and stopping potential threats in their tracks.
As cyber threats have become more sophisticated, firewalls (and the cybersecurity market as a whole) has had to adapt in order to keep up. Firewalls can now deeply inspect packets for threats, looking at an array of complex information about each packet; not just its contents, but metadata, behavioural context, geography, and countless other data points.
But the rise of encryption has somewhat quashed this ability. When a packet is encrypted, there is no way to see what’s in it without its encryption keys (the means by which the website’s server and the end user’s device uniquely encrypt and decrypt communications).
But firewall companies do have a trick up their sleeves…
Deep Packet Inspection – The Firewalls Fight Back!
As SSL/TLS encryption uptake has grown, firewall providers have been developing ways to counteract the security issues that it has unwittingly introduced. The most common way involves the firewall itself handling the encryption keys so as packets come in, they can be decrypted, inspected, then sent on their way. The security between the firewall and the individual networked users is handled with security certificates that are applied to each machine.
This method has a lot of names: the most common is “deep packet inspection”, but you may also see it dubbed “HTTPS proxy content inspection” or “DPI-SSL”. We like to use “deep packet inspection” (DPI) or “encrypted traffic inspection”.
There is one concern with this method, though. What happens when your firewall snoops in on your employees’ personal data as they are trying to do a spot of online banking or shopping in their lunch break? Wouldn’t that have major GDPR ramifications? Rest assured that firewalls that use deep packet inspection are able to turn a blind eye to trustworthy sites like major banks and retailers when properly configured, so it won’t inspect them.
Or you could just block access to those sites completely. It’s up to you.
So… are we safe yet?
TLS 1.3 Approaches
TLS 1.3 is the latest evolution in web security. It was released in 2018, but it’s quickly gaining widespread acceptance. The new TLS’s meticulously streamlined encryption and authentication protocols make it much harder for cybercriminals to snoop on your data in transit.
However, those same controls make it just as difficult for firewalls to carry out deep packet inspection.
For the time being, we’re still in a transitional phase between TLS 1.2 (which does allow DPI) and 1.3 (which doesn’t). For the most part, sites currently using 1.3 can sometimes let the user request to use 1.2 for compatibility reasons, but it’s only a matter of time before 1.3 becomes the norm and all older versions are retired.
The Future of Firewalls
So how are firewalls going to keep our organisations safe in future? We’ve got a lot of fancy gadgets here at Just Firewalls but sadly, a crystal ball isn’t one of them. Thankfully, cybersecurity industry leaders seem surprisingly upbeat about the future.
Some providers report that they may be able to detect malware hidden inside TLS 1.3 encrypted traffic. Inspecting packet metadata and the history of communications between two points is also an option. And with recent technological advancements, we may even be able to harness the power of AI; artificial intelligence may provide powerful firewall capabilities whilst also holistically analysing the network for vulnerabilities using penetration testing and edge connection analysis.
So, the future is looking bright, as long as firewall providers are willing to roll with the changes. Despite the headaches that encryption has caused within the firewall market, the ability to almost completely obfuscate sensitive data in transit is absolutely essential.
We’re eager to see what the future holds for both encryption standards and how firewall technology is going to navigate those developments. Due to their very nature, encryption and firewalls will most likely be at loggerheads for the foreseeable future, but we do share a common goal – keeping people secure online.
If you take anything away from this article, please check whether your current firewall is able to carry out deep packet inspection. If it can be enabled, then do so without delay.
If your firewall is too old to handle DPI, then give us a call! Our team are on hand to give you the advice and support you need to select the right firewall for your needs. We provide effective firewall solutions for organisations of all sizes, in all sectors. We provide discounts for educational establishments, charities, and CICs too! Get in touch with our team today to discuss your options.