Secrets Of Your Internet Encryption
You thought you knew your internet encryption but it is actually keeping secrets from you. To crack the code of internet encryption we first need to crack the acronym code (my most recurring complaint with the information technology market can be summed up as TMA or “too many acronyms”). The most common encryption method for internet users is known under various names: SSL (Secure Socket Layer), TLS (Transport Layer Security), HTTPS (Hyper Text Transfer Protocol Secure). TLS is the more recent version of SSL, and HTTPS is the browser manifestation of a SSL or TLS session being initiated between the web browser and the web server. If that alphabet soup is not enough to get you dizzy yet, then discovering that encryption key secrets are hiding inside your secure session will certainly be.
SSL Encryption Will Break or Make Your Business
Why should we care about all this? Isn’t it only about eCommerce? Well not anymore as now over 70% of the internet traffic is encrypted (1) while Google reports that 89% of traffic across Google is encrypted (2). It’s an encrypted world out there but Gartner indicates that 50% of malware threats coming from use of SSL traffic (3) and that 60% of organization will fail to decrypt HTTPS efficiently by 2020 (4). Not a pretty picture when the average cost of a data breach is estimated at $4 million (5). To complicate matters further, processing is very taxing to the pint that 80% of monitoring tools CPU is used by SSL decryption alone (6). In summary, the internet is going encrypted, threats are still there and costly, and handling encryption is not a cakewalk.
Hackers’ Delight: Static Encryption Keys Are Easier Targets
Now onto revealing part of the encryption secrets: hidden inside SSL and TLS encryption methods are two very different encryption key systems.
The first one is older and relies on static keys. They are somewhat easy to implement but for hackers they are like shooting at a fixed target: aiming is easier over time, it is always there and always the same.
The second one is more recent and relies on temporary, or ephemeral, keys. They require a new way of doing things but to hackers they are like shooting at a moving clay target: difficult to hit every single time, they disappear fast and they are different each and every time.
Ephemeral Encryption are Keys Preferred by browsers and servers
To reveal even more secrets of your internet encryption, in October 2017 Ixia published an encryption study covering the whole gamut of encryption keys (7). The findings were nothing short of a changing of the guard.
By studying 130 browser variants, it became clear that Browsers prefer ephemeral encryption keys. The first 19 ranks of encryption key preference by browsers were of the ephemeral type. It is not until the 20th rank that the [not so] best place of preference by browsers is for a static key. And out of all the browsers, Chrome browsers are the bellwether setting the trends for encryption preference.
Similarly, Ixia studied the server side of the encryption equation and servers prefer ephemeral encryption keys too! 97% of top 100 websites prefer ephemeral keys and 89% of top 10,000 websites prefer ephemeral keys.
Best Practices For Encryption Optimization
Now why would anyone not use ephemeral keys over static ones? Fear of change, inertia, or older infrastructure are the most likely culprits. However, not only ephemeral keys are more secure, they don’t have to require a huge change if handled according to best practices.
The main principles are to standardize on ephemeral encryption keys, design your visibility infrastructure to support ephemeral keys, and chose vendors who optimize hardware and software for ephemeral keys.
But a great visibility infrastructure based on active SSL goes even further by decrypting traffic once, and then using it many times. By deploying an active SSL visibility architecture and decrypting SSL in intelligent network packet brokers that process traffic to remove duplicate and unnecessary data, you can provide optimized clear text data to your monitoring and security systems.
There are no more secrets hiding in your internet encryption anymore. Security, visibility, and efficiency: what’s not to like?
- Google https://transparencyreport.google.com/https/overview
- Gartner https://www.gartner.com/doc/2635018/security-leaders-address-threats-rising
- Gartner https://www.gartner.com/doc/3542117/predicts--network-gateway-security
- Ponemon Institute https://securityintelligence.com/media/2016-cost-data-breach-study/
- Ixia Encryption Study https://www.ixiacom.com/sites/default/files/2017-10/Ixia-T-WP-State-of-Encryption.pdf