TECHNICAL INSIGHTS: BREAKING BAD – ARE YOU READY TO LAWFULLY INTERCEPT TLS 1.3?

25 September

Are you performing TLS inspection of your enterprise web traffic? If not you really should be, except TLS 1.3 is going to make it a little trickier for us all but not without good reason though.

TLS everywhere has been the call from big tech and many security researchers for a while now, all the major browsers have been flagging un-encrypted http only websites as insecure since the beginning of 2019. Consumers are catching on and quite right too! Ensuring robust TLS encryption prevents a multitude of common attack method, capturing data in transit becomes much harder and helps to stop 3rd party content injection, either advertising junk or malicious content.

“If an enterprise sysadmin takes a look at their corporate web filter, load balancer, ADC, WAF or NG firewall, they’re maybe in for a shock as that magic TLS 1.3 check box, or menu item may strangely be missing.”

So the launch of TLS1.3 in March offering greatly enhanced security has got to be good news! Well yes, it most certainly is, however as is often the way of things enterprises (and security vendors) are going to have to put in a bit of work to catch up.

Right now, TLS 1.3 uptake is looking very strong indeed, according to shodan.io there are over 1.5 million sites offering up TLS1.3 capability right now. The charge is being led by the big CDNs like Akamai, Cloudflare and Incapsula, which is very commendable.

We’ve been sitting pretty in the enterprise space, being able to intercept and inspect TLS 1.0-1.3 for many years now, inspecting traffic to ensure malicious content is blocked, IPS functions are performed, forensic copies of data archived, WAFs can do their inspection of paths and parameters, the list goes on.

However, if an enterprise sysadmin takes a look at their corporate web filter, load balancer, ADC, WAF or NG firewall, they’re maybe in for a shock as that magic TLS 1.3 check box, or menu item may strangely be missing.

I’m unsure if the rapid uptake of TLS1.3 has come as a bit of a shock for vendors, or perhaps the equally rapid loss of secure cipher suite options with TLS1.2 but there’s definitely some catch-up to be done here.

1.3 will arrive in our WAFs and ADCs soon enough (hats off to Barracuda Networks for being early to the party and having TLS 1.3 support for quite some time in their WAF product), however outbound inspection of user web traffic is an equally pressing matter.

All the modern browsers in use in the enterprise today will support TLS 1.3, malware, phishing and other malicious content is easy enough to deliver on a TLS 1.3 only website. This presents the enterprise with a choice, attempt to downgrade to TLS 1.2, block the traffic, or allow it with no inspection. That downgrade may not work for some sites, dependant on a variety of elements, such as the upstream configuration, and the type of inspection being performed within the enterprise. TLS 1.3 has an inbuilt mechanism to detect downgrade to TLS 1.2 and before long that will be used to ensure that a downgrade to the far less secure TLS 1.2 does not happen, by both legitimate and malicious sites.

“Predictions by NSS labs suggest that over 75% of the internet will be using TLS by the start of 2020.”

In addition TLS 1.3 now encrypts this initial key exchange between server and client, this means we no longer see the properties of a certificate (and the website that has been visited) in the initial request, this was commonly used as a method of determining if inspection should take place or not with TLS 1.2.

Time may be short for us to get fully compliant with TLS 1.3. TLS 1.0 is dead, PCI knocked it on the head in 2018, there’s still plenty in use out there but I believe we’ll see its global footprint shrink almost as quickly as we’ve seen TLS 1.3 grow. TLS 1.2 may not have long to live, due to the ever shrinking number of still secure cipher suites available to use. A newly discovered critical weakness in 1.2 may be enough to tip the balance and really drive 1.3 uptake.

The security benefits for any organisation to inspect TLS are clear, the internet is turning to TLS in a big way, reports from the likes of Fortinet state that well over 70% of the Internet is using TLS today, with predictions by NSS labs suggesting over 75% for the start of 2020. This means 75% of any organisations outbound web access is potentially passing through to the endpoint with little or no inspection or filtering. Industry reports vary a little here, but most agree an increasing percentage of attacks see TLS encryption as part of the methodology, for command and control connections, delivery of payloads or data exfiltration. Similar protections are important for protecting your own web assets with inbound inspection or TLS handoff to WAF or other security equipment.

If you’re in the position of looking to deploy new corporate web filtering, on-premise, cloud, or hybrid, you’ve got to ensure there’s that TLS 1.3 future proofing in there, otherwise it’s highly likely you may find yourself in a position of being unable to inspect the modern encryption methods in use.

NEXT STEPS…

Please reach out to us or get in touch with your account manager if you require any assistance or have any questions.

Written by David Peters, Technical Director for ANSecurity


LET’S TALK ABOUT  YOUR CYBER SECURITY