Do You Know What Hackers Hide in SSL/TLS?

Posted · Add Comment

ntop believes that the future of traffic monitoring and network security will be played by the ability to inspect the behaviour of encrypted communications. It is fortunate that Sam Bocetta accepted to talk about encryption. Sam is a freelance journalist specializing in US diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography. He is currently working as a part-time cybersecurity coordinator at

SSL/TLS authentication has been around for a while. As one of the first internet safety protocols, an SSL certificate, signified by a green padlock on the far left of the URL bar, is supposed to impart feelings of trust when internet users see that a website is authenticated. However, hackers, being the innovative mischief makers they are, have found a way to commit cyber crimes under the cover of a secure socket layer.

How Does SSL/TLS Authentication Work?

SSL uses a technology known as asymmetric encryption. With this type of encryption, there are two security keys: one public and one private. The public key shared via the SSL certificate tells all browsers how to encrypt the data. The private key resides on the website’s backend servers, where it’s decrypted to complete the request. Website owners are responsible for obtaining an SSL certificate from a proper authority, although some web host providers offer SSL encryption as part of their service. This type of encryption is critical for any website or application that involves the transfer of sensitive information like passwords, account numbers, and other financial data because it keeps outsiders from intercepting the transmission.

The Flaws Inherent in the System

Encryption is added over the HTTP protocol to create a prefix of HTTP, which means secure HTTP or Transport Layer Security (TLS) over HTTP. Occasionally, users will receive a message that the SSL certificates don’t match. This can be due to a simple client/server mismatch or some other benign reason. However, enterprising hackers have found a way to get around the encryption by using the TLS after browsing session begins, and you won’t get any error messages or warnings that it’s happening. In 2017, the Cyren blog reported that 37 percent of malware is using HTTPS as a vehicle to introduce viruses. The malware is engineered as network packets in such a way that it can get past the initial encryption and hide in the end user’s computer, infiltrate your corporate network, or act as a host on its own servers, where it can infect systems with viruses remotely. Regular security measures don’t always work because the malware payload is encrypted and may not be identified by firewalls or intrusion detection systems (IDSs). Most users assume that any website with a valid SSL certificate can be trusted, but in fact the opposite is the case. Even apps stores aren’t safe. Chrome and other stores have been found to carry lookalike third-party security plugins. They’re designed and function like legit ones, but they’re used for crypto-jacking. So, make sure that you only use apps and plugins on your website that come from trusted developers, and try to download them directly from an official website.

Protecting Your Website

One of the first measures to take is to use one of the top web hosting services rated for security and uptime. When researching choices, look for cloud providers that offer network monitoring services, live scanning for viruses and malware, and strong uptime performance. You should also make use of a virtual private network (VPN) client when browsing the web to add another layer of encryption to your traffic. To make your enterprise network truly secure, you’ll need to invest in more modern cybersecurity solutions like deep packet inspection (DPI) and SSL fingerprinting. With nDPI, ntop’s open source DPI toolkit, a separate layer of scanning is added at the perimeter of your network that is responsible for decrypting incoming data, scanning it for known malicious threats, and then encrypting it again for final delivery to the user’s browser. However, using DPI does introduce some privacy concerns for the users on your network, as their traffic is not being truly encrypted from end to end. Also, turning on DPI will place a heavy, continuous strain on network resources that could hurt internet speeds across the organization. That’s why SSL fingerprinting may be a better long-term solution. With SSL fingerprinting, metadata is extracted during the initial handshake between the browser and the back-end server to validate that no protocol changes have been injected between the two endpoints. Early methods for fingerprinting, including JA3, relied on a manually maintained database to track what fingerprints were safe and which were dangerous. But now some companies are going a step further by creating real-time fingerprint databases that get updated automatically to identify malware that could be hiding in SSL traffic.

Final Thoughts

SSL and other visible forms of validating websites are used to provide visitors and owners with peace of mind, especially when they’re engaged in eCommerce. Although this is an important part of overall security, you shouldn’t regard it as the only security measure you need to take. It works best when deployed as a portion of your overall security standard, in conjunction with regular threat monitoring.