SSL security leaves loophole for hackers

Companies need additional defences to tackle the problem, say experts

Many firms are unknowingly allowing hackers to send malicious code into their networks via Secure Sockets Layer (SSL) encrypted links because it cannot be detected by most intrusion-detection systems (IDSs), according to a leading web application security vendor.

Marc Shinbrood, chief executive of Breach Security, told IT Week that because IDSs can only read clear text HTTP traffic, there is a blind spot that firms need to eliminate by installing tools to decrypt SSL traffic as it arrives and then pass it on to be inspected.

“Hackers have been using SSL for years,” said Shinbrood. “But the amount of encrypted traffic over the last few years has increased to around 50 percent [of all network traffic], so it has become more of an issue.”

Nearly 200,000 public sites are protected by SSL, including online banking and e-commerce web sites, according to Breach.

Greg Day, security analyst at McAfee, said that if firms are aware of the problem they can place more detection sensors behind the SSL termination point or on the client, using hosted intrusion-prevention systems (IPSs).

"If it is your pipe we can actually decrypt and do real-time analysis," Day said. "But it's very easy for firms to overlook [this blind spot] – the problem is having false confidence; firms have to realise their IT security limitations and have layers of defence."

Breach's Shinbrood added that the main reason for enterprises to invest in tools for web application security is to reduce the risk of bad PR from data being exposed, and the resulting damage to brands and customer trust.

“Compliance with regulations is a necessary evil but it isn’t the driving force [for buying security tools],” Shinbrood said. “If you talk to IT security chiefs, their job is to keep the company off the front page of the Wall Street Journal, or from appearing in front of a government regulatory committee, or ha ving their customers doubting whether they should do business with them.”

But Shinbrood added that many firms are ignoring the risks of attack through the web application layer, which he said now accounts for around 80 percent of successful attacks.

Ofer Shezaf, chief technology officer for Breach, said awareness of web application security is steadily growing, prompting many firms to appoint an application security manager.