TLS/SSL Analysis: When Encryption and Safety Are Not Alike

Posted · Add Comment

Most people think that SSL means safety. While this is not a false statement, you should not take it for granted. In fact while your web browser warns you when a certain encrypted communication has issues (for instance them SSL certificates don’t match), you should not assume that SSL = HTTPS, as:

  • TLS/SSL encryption is becoming (fortunately) pervasive also for non web-based communications.
  • The web browser can warn you for the main URL, but you should look onto the browser development console for other alerts (most people ignore the existence of this component).

As when TLS/SSL communications are insecure (see below for details) we are on a very bad situation as we believe we have done our best, but in practice SSL is hiding our data but is not implementing safety as attackers have tools to exploit SSL weaknesses. In the past weeks we have spent quite some time enhancing SSL support in both nDPI and ntopng. This is to make people aware of SSL issues on their network, understand the risks, and implement countermeasures (e.g. update old servers). What we have implemented in the latest ntopng dev version (that will be merged on the next stable release) is SSL handshake dissection for detecting:

  • Insecure and weak ciphers
    Your communication is encrypted (i.e. you will see a lock on the URL bar but the date you exchange might be potentially decrypted).
  • Client/server certificate mismatch
    You are not talking with the server you want to talk to.
  • Insecure/obsolete SSL/TLS versions
    It’s time to update your device/application.

When a SSL communication is not satisfying all safety criteria, ntopng detected it, and triggers an alert. In essence we have implemented a lightweight SSL monitoring console that allows you (without having to install an IDS or similar application) to understand the security risks and fix them before it’s too late.

Below you can find a valid SSL communication: for your convenience we have highlighted the SSL detection fields (on a future blog post we’ll talk more about JA3).

When ntopng detect TLS/SSL issues, it reports them both in the flow

and alerts

The goal of this post is not to scare the reader, but increase awareness in network communications and use ntopng for understanding the risks and implement countermeasures to keep your network safe.

Remember: you should not implement secure communications because you are scared of attackers, but because it’s the right thing to do for preserving your privacy.