IT | Security

HTTPS, Data Loss Prevention, and Man-in-the-Middle

By: Absolute Editorial Team | 10/28/2013

The security provided by Secure Sockets Layer (SSL) / Transport Layer Security (TLS) for HTTPS has enabled ecommerce, electronic banking, and many other useful business functions on the internet. Major functions of SSL/TLS include:

  •  Authentication of servers to clients using a standardized Certificate Authority system to sign and distribute server certificates.
  •  Public key and symmetric encryption algorithms to protect data from disclosure, tampering, and replay.

However, significant technical security controls, including web browsing management, malware analysis, safe search enforcement, and content-aware data loss prevention depend on the ability to observe network traffic to protect a site's network. Educational environments depend on web browsing management and safe search enforcement to manage students' Internet usage. Industries dealing with sensitive information, such as healthcare organizations, depend on content-aware data loss prevention to prevent costly disclosures of confidential data. As more web services are switching to SSL/TLS to protect data from eavesdropping, such as Google Search, visibility into network streams is dropping and thus inhibiting necessary and legitimate security controls.

I mention this because, during a guest lecture I gave in a graduate management information security course a couple of weeks ago on corporate information security control technology, we had a good discussion regarding man-in-the-middle (MITM) decryption of SSL traffic.  Legitimate use of this capability on HTTPS traffic enables the aforementioned security controls, given that the endpoints in the organization are configured to authenticate the spoofed server certificates created by the web proxy. There are obvious concerns about nation-state actors subverting encryption, but students also raised the issue of decryption of sensitive personal transactions, such as personal banking transactions traversing an organization's network.

Our discussion resolved with two recommendations for organizations implementing web proxies with MITM decryption:

  1. Whitelist (bypass decryption) for traffic involving personal banking and other sites posing no risk of policy violations, and/or
  2. Block access to personal banking and other non-business-related sites to prevent inadvertent decryption of employee-confidential data.