When one thinks of SSL and Encryption, the de facto assumption is that it automatically makes IT systems safer, and for the most part, this assumption is mostly true: SSL/TLS encryption has been instrumental in providing users the confidence for online data transactions over the last 20 years. However, cybercriminals have recently started using SSL/TLS as part of their attack strategies, resulting in an increase of SSL based attacks, ranging from:
- Phishing sites appearing to be valid using legitimate certificates
- Encrypted SYN floods which are more resource intensive on the server
- Encrypted Web Application Attacks that attempt to bypass security measures that can’t analyze the encrypted traffic
At DOSarrest we have seen a 40% increase in a Y/Y analysis of SSL based attacks, primarily for two reasons:
- Google’s Chrome penalizing HTTP sites with a warning that the site is insecure back in July 2018. This created a rush of web admins to start implementing SSL certs and redirects to HTTPS to avoid this penalization. This in effect has expanded the target area for cyber criminals wanting to leverage SSL based attacks.
- Adoption of free certificate authorities (ie. Let’s Encrypt) – getting SSL certs used to be an expensive and tedious amount of paperwork and validation, but this is no longer the case with services like Let’s Encrypt, which has lowered the bar of entry for cybercriminals for procuring SSL certs.
While the increased activity in attempting to leverage SSL for DDoS has been noticeable at DOSarrest, it poses no problems for our operations. With the DOSarrest mitigation networks customized capability and surface area, it’s easily able to handle Encrypted SYN floods, SSL Renegotiation, HTTPS floods, and encrypted Web Application attacks with no performance loss. Detection of these attacks, where their intent is to disguise themselves in encrypted streams, is also not a challenge for us, as a result of our 10+ years of upgrading and evolving our monitoring strategy.
The goal of having SSL Everywhere is a noble goal for IT admins everywhere, but until systems and processes are upgraded to deal with complicated detection and mitigation requirements for dealing with SSL based attacks, there are caveats that need to be accounted for by these admins in taking the next steps.
CTO, DOSarrest Internet Security