You’re likely used by now to seeing the HTTPS prefix ahead of many of the domains you visit, whereas just a few years ago HTTP (Hyper Text Transfer Protocol) would have been the norm. You only have to take a look at the address bar for this very site and there you have it, along with that trusty little padlock.
As the acronym suggests, HTTPS is simply an extension to HTTP which facilitates secure communication over a computer network (yep, it’s that simple, the S does just stand for secure!). Based on, and secured by, Secure Sockets Layer (SSL) technology – well, Transport Layer Security (TLS) nowadays but the SSL tag has stuck – it is now widely used on the internet to facilitate secure web browsing.
So, what’s not to like? Within the world of cyber security the adoption by websites of the HTTPS protocol has been pretty much universally accepted as a positive move. And we’re not going to argue with that, it is most definitely a good thing.
However, as the title of this blog suggests, we do have one major concern related to the prevalence of the HTTPS protocol now and it relates to the firewalls that just about every business uses to secure their network.
The problem is that HTTPS has introduced a level of security that means many firewalls can’t actually filter the traffic secured by it because the content is not accessible. Essentially, HTTPS is doing its job. But firewalls that may have been in place for many years now can’t do theirs and for a business this means one thing, vulnerability. This is the dark side of HTTPS and cyber criminals are already leveraging encrypted traffic to disguise malicious attacks.
Some may say that this is just a consequence of individual’s security online being safeguarded, which businesses must deal with. But when that individual is an employee of a business and their activity online threatens the network and data assets of that employer, surely the business has not just the right but the responsibility to do something about it?
Here at DCS, we think this is indeed the case. Businesses have a responsibility to their customers, employees and all they hold data on (especially post-GDPR implementation) to maintain the security and integrity of their network infrastructure. This is why, working with our longstanding partners Sonicwall, we now offer and deploy next-generation firewall technology, capable of filtering HTTPS content, to our customers.
Amongst the customers we have rolled this technology out to already, the number one issue we’ve found has actually been awareness of the potential vulnerabilities associated with HTTPS traffic, something that prompted the writing of this article. Many businesses may not be aware of this new security weakness, ironically introduced by advancements in online security, but once they are then most can see something has to be done.
However, we have also had concerns raised by clients in relation to the privacy of their staff and the impact that a roll out of this technology could have on the bond of trust between employer and employee. It’s a valid point, and one that’s probably a little more nuanced than the blanket interpretation we alluded to earlier in this article that a business has a right to inspect all activity on their network.
Don’t get us wrong, the business probably does have that right but many will choose to waive this when it comes to certain types of data and traffic. That’s why the Sonicwall solutions we provide are capable of being set up and working with exemptions on traffic from the likes of banking and healthcare websites, a feature we will always highlight to customers and one that has been universally deployed up until now.
As always, we believe that by understanding the nature of the threat, we are capable of introducing a robust and appropriate defence against it.
To find out more on this subject contact the cyber security experts at DCS or click here to download an exclusive Sonicwall white paper on understanding encrypted threats.