I'd recently come across WatchGuard's Internet Security Report for last quarter (available here and a summary article here). The findings are surprising, and if the report's results are broadly accurate, indicate a notable lack of tuning of the relevant network security tools.
Interesting Findings
One finding stood out among the rest: only 20% of users enable SSL inspection. A related item is that 93% of malware is downloaded via encrypted means (at least, that's how I read the report).
The latter point comes as no suprise - if anything, given how rare plain HTTP sites are these days, I'd expect even higher than 93%.
The main point however, is concerning. Virtually 100% of web browsing is via HTTPS, and not inspecting it means that the organisation has no visibility into any website activity other than what site was connected to (and perhaps not even that).
Disclaimer
The finding should be taken in context. This is one vendor's report and does not necessarily imply that 80% of all organisations have SSL inspection disabled.
If you have the capability however and do not use it, then perhaps you should.
SSL Inspection
The benefit to SSL inspection is ful visibility of the data stream.
This can achieve two goals - security and management.
For management, this helps to achieve policy compliance to ensure inappropriate web sites are not visited (DNS filtering can also help but has its own challenges).
For security, the data visibility allows for scanning for malicious content.
Solutions and Limitations
SSL inspection facility, while necessary for the above goals, is fundamentally an attack from the perspective of the web client and server as the appliance needs to terminate the secure connection and insert itself into the path, running an encrypted session to the client and one to the server - a textbook Man in the Middle.
As can be expected, making this work requires altering the certificate trust model as per the below:
Certificate management:
The client browser still expects a secure connection, so the appliance needs to present a certificate for the correct website name, and, as it certainly cannot prove ownership of the website domain, the certificate must be issued internally, normally by the appliance itself and signed by an internal Certificate Authority (the appliance itself can be the CA or an intermediate CA to an internal root CA).
The browser is not going to trust that.
Resolving this issue requries a mass trusted root certificate deployment, via Group Policy or similar.
Challenges:
- As can be expected, guest or BYOD devices are essentially unmanageable from this perspective and should be on an isolated network (in the working in-office scenario).
- Intercepting traffic to financial, health, and similar web sites is likely illegal or at least highly problematic and should be exempted.
- Certain vendors pin their certificates in the client side so replacing the certificate is going to fail, on the client side. Notable examples include Google services and Office 365.
On the latter, Zscaler provides a useful list of impacted apps here.