Vulnerabilities of Secure Socket Layer (SSL) Inspection

Abstract

HTTPS is used to secure the communication (transactions and other activities) over Internet using SSL. HTTPS enables entire encryption of the data to be kept confidential being transmitted from the client browser to the server and vice versa. But all of this is a sort of normal defences which are not visible due to encryption as encryption is also being used by criminals to hide their activities which may include hiding malicious actions/ messages, initial infection, C&C servers and intentional/ unintentional data exfiltration.For example, whenever a user downloads file (which may contain malware) through a phishing email supposing that its a safe file. It establishes an encrypted session to Command and Control (C&C) server and the attackers‟ malware gets downloaded directly. It results encryption of the attacks that occurred in the session and the intended malware evades the network security [1]. To defend against malicious payload encrypted by SSL, there may be a need to inspect SSL traffic as well. It means that some middleboxes inspect encrypted traffic in different ways to check whether it is malware free, this is called full SSL or deep inspection. The traffic is decrypted at middlebox and inspected by edge security tools and after inspection traffic is re-encrypted and transmitted to client [1],[2]. These middleboxes deploy different methods to decrypt SSL traffic for inspection like man-in-themiddle approach which in turn violates the end to end security of SSL[3],[9]. Such approaches violates end to end security and thus purpose of SSL security cannot be achieved in true spirit. Different vendors provide monitoring solutions for SSL traffic to guard against threats already mentioned. Our research aims are to explore different methods of SSL inspection deployed by the middleboxes, finding the vulnerabilities of the methods and improve upon the methods in order to ensure privacy and end to end security for which SSL was introduced.