SSL Filtering Wont Increase Security
If you use the Web, you use Secure Sockets Layer connections. SSL is the technology that secures your connection so you can safely submit your credit card number to online merchants such as Amazon.com. It makes it possible to securely use Web-based mail clients from kiosks or shared computers. It is also used to provide clientless VPN connections to company networks.
And it has been broken.
Not by a virus or worm, or a newly discovered security hole, or a malicious hacker. SSL has been broken by well-intentioned security vendors trying to provide requested capabilities to their customers. Both the vendors and at least some of their customers see SSL as a potential hole in their firewall and security infrastructure. Because SSL is a secure and encrypted connection, it has been impossible to scan SSL connections for viruses or to apply content filters to the information that passes through an SSL connection.
So, to close this potential hole, security vendors such as Secure Computing and Webwasher recently have added a feature known as SSL filtering to their products. This feature works as a sort of virtual proxy between clients and SSL servers, decrypting and scanning SSL links before sending the information on.
This feature makes it possible to apply anti-virus scanning, firewall rules and content filtering to SSL connections. Unfortunately, it also makes it possible to scan and store all the information that employees and others within the network send to online merchants, including credit card numbers. If a visitor to the company uses the network to access a secure Web-mail client, it makes it possible to break this security and scan a users mail.
If this sounds bad, imagine this technology being used by an ISP or, even worse, a repressive government. And if outraged employees and corporate visitors arent good-enough reasons to think twice about deploying SSL filtering, think about this: SSL filtering may very well be illegal.
If online merchants such as Amazon. com found out that companies were using SSL filtering to break the secure connection they are providing to their customers, they probably wouldnt be very happy. And they could very well take action using the extremely broad federal DMCA (Digital Millennium Copyright Act) law.
Under the DMCA, it is illegal to break a security mechanism that has been put into place to protect content. And that is exactly what SSL filtering is doing. Merchants and other companies must be 100 percent sure that using their services is secure, and anything that breaks that security, for whatever reason, is a threat to their business.
SSL filtering could also become a threat to Internet privacy, as most systems that provide privacy and anonymity use SSL in one way or another.
The problem is, the genie of SSL filtering is already out of the bottle. Even if these security companies decided to eliminate this feature, others will be able to duplicate the capabilities.
Thats why I recommend that the vendors and open-source organizations that create Web browsers and the server-side SSL systems update their products so they are able to detect if an SSL filter has been placed in their connection path. Once this is detected, either a workaround can be developed or the client could at least be sent a message that SSL is not secure on the local network.
And for companies interested in deploying SSL filtering, I recommend that you think again before taking that step. Not every possible security hole should be closed; some security risks are the price of a free society. You cant control what comes in and out of your company through the federal mail system, but opening and reading all the mail your employees receive and send would be both morally wrong and illegal.
If you are worried about the theoretical problem of SSL connections, then block them in your company network. Or, look into client-side security solutions like anti-virus or firewall software that achieve the same goals without breaking someone elses secure communication mechanism.
Breaking the main mechanism for secure communications on the Web is no way to make your company more secure.
Discuss this in the eWEEK forum.
eWEEK Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.