cto-cybersecurityforum-2010-ronwilliams
DESCRIPTION
TRANSCRIPT
![Page 1: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/1.jpg)
© 2010 IBM Corporation
Decrypting Web ProxiesCorporate Compliance or Surveillance State?
Commonwealth Telecommunications Organization Cyber Security Forum, 17 June 2010,
Ron Williams, Sr. Enterprise Architect, Security and Privacy, IBM Security
![Page 2: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/2.jpg)
© 2010 IBM Corporation2 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Introduction
In freedom loving countries, surveillance is undertaken with a certain amount of trepidation, and perhaps a certain amount of regret. It has been a tool of intelligence operations since the earliest recorded history. It has been justified as necessary to “national security,” and excoriated as a tool of an oppressive state. Whether or not these characterizations are accurate, one fact is clear. Surveillance of the electronic kind is on the rise in the digital age.
Electronic surveillance techniques are increasingly being adopted in commercial enterprise. These include the use of decrypting web proxies to “see into” otherwise encrypted traffic. In the microcosm of the commercial sphere, “Enterprise Security” takes the place of “National Security” and “Corporate Policy” that of “National Interest.” And while there is a long history of debate and conflict surrounding what the role of security in the national interest should be, surveillance as a tool of corporate security, especially electronic surveillance, is a relative newcomer to the stage.
It is a premise of this paper that governments and commercial enterprises alike desire and intend to “do the right thing” with respect to protecting their infrastructures, while upholding the rights of their citizens, employees, and business partners. It seeks to illuminate a small area of encrypted internet communication, and point the way to rational confronting the problems is use may pose
![Page 3: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/3.jpg)
© 2010 IBM Corporation3 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Cyber Security’s Technical Posture Today
the Good News– The use of switched network routers in lieu of inherently insecure bridging technologies
have significantly reduced internet protocol (IP) attacks based on IP address spoofing.– Intrusion detection and prevention (IPS) techniques and their associated technologies
have vastly reduced the threat surface of the organizations that have deployed them.– Research into evolving application threats and application heuristics have resulted in
effective techniques to confront SQL Injection, Cross-Site Scripting (XSS), Cross-Site Forgery (CRF), and obfuscated script encoding.
However– 80% of all cyber threats are perpetrated over encrypted protocols. The vast majority of
these occur over server-side-only Transport Layer Security (TLS or SSL).– Unless a threat can be detected and countermeasures applied before it reaches
sensitive application endpoints - critical applications and their underlying infrastructure remain vulnerable.
![Page 4: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/4.jpg)
© 2010 IBM Corporation4 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Unencrypted Network Traffic
![Page 5: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/5.jpg)
© 2010 IBM Corporation5 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Encrypted Network Traffic
![Page 6: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/6.jpg)
© 2010 IBM Corporation6 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Why do users and providers want to enrypt web traffic
Insure privacy of data between user and service by protecting user data, like login credentials, medical information, account numbers, transaction details, content delivered.
Authenticate one or both parties (server-side-only or mutually authenticated TLS)
Regulatory requirements
Fiduciary Responsibility
Maintain legal privilege
Keep private web activity from employer, family, competitors, government agents, curious teenagers, prying relatives
Protect political speech
Engage in illegal activities
Exercise right to be free from surveillance
“Why do you want to know?”
![Page 7: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/7.jpg)
© 2010 IBM Corporation7 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Why do enterprises want to decrypt third-party web traffic?
80% of all web attacks perpetrated over TLS (IBM X-Force)
7 of 10 Top Web Security Threats can be directed against browser over TLS (Open Web Application Security Project/OWASP). There is no antivirus protection for an encrypted stream.
Intellectual capital and privacy data alike are increasing being lost electronically. Organizations want to monitor and inspect traffic to mitigate Information Loss (i.e. DLP)
Regulations and corporate policy deamd enforcement of acceptable use policies. Organizations want to inspect traffic on corporate assets and block access to sites deemed as inappropriate to the job (i.e. pornography, criminal and /or terrorist communications, known malware sites, etc.)
Lawful surveillance
![Page 8: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/8.jpg)
© 2010 IBM Corporation8 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
TLS Proxy - breaking the protocol
TLS is designed to ensure the integrity of communications between a service provider and its users. Server-side-only TLS provides a an additional mechanism by which the server is authenticated to the user. Inherent in the protocols is the assumption that TLS
– provides confidentiality of communication between a user and a service– authenticates the identity of the name or subject of the server to the end user– authenticates the name or subject of the user to the Server (in the case of the use of
client side certificates, mutually authenticated TLS)– provides a mechanism whereby tampering of any of the above properties will be
detectable
Decryption of TLS by an entity other than the intended endpoints is considered an attack against the protocol, specifically a man-in-the-middle (MITM) attack.
In the case of the enterprise, the deployment of decrypting web proxies have only considered the relationship between the enterprise and its employees, contractors, business partners, those who operation within the sphere of the enterprise and its IT operation. However - there is a third class of participant - the service represented by the server leg of the connection.
![Page 9: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/9.jpg)
© 2010 IBM Corporation9 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
TLS Review
QuickTime™ and a decompressor
are needed to see this picture.
HelloHi, I’m Office WindowLet’s Use EncryptionSecure Communications
![Page 10: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/10.jpg)
© 2010 IBM Corporation10 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
What is a Digital Certificate
It is used to authenticate a subject, in the case of HTTPS the source, company or other organization that “owns” the certificate
Protocols like SSL and TLS that use Digital Certificates include mechanisms to detect tampering with the certificate
Why use protocols based on public key cryptography and Digital Certificates?– They enable the participants (endpoints) to identity and authenticate each other– They provide mechanisms to detect tampering with either the certificate or the protocol
being used– They imply “secure” communications.
Who Uses Digital Certificates and the encryption protocols based on them?– Everyone on the internet
Users of Digital Certificates expect that their communications are “tamper resistant”
Banking Example . . .
![Page 11: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/11.jpg)
© 2010 IBM Corporation11 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Server-side-only TLS (What the Server and Browser “See”)
![Page 12: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/12.jpg)
© 2010 IBM Corporation12 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Decrypting Web Proxy (Man-in-the-Middle/MITM)
![Page 13: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/13.jpg)
© 2010 IBM Corporation13 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
If TLS are designed to prevent tampering, how can a decrypting web proxy work?
![Page 14: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/14.jpg)
© 2010 IBM Corporation14 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Technical Premise of TLS Proxy
Server-side-only TLS can be read en clar by a third party and effectively proxied without indication to either party if
– The the TLS session is divided into two distinct sessions– The third party (proxy) is interposed between the two sessions– The browser (IE, Firefox, Safari, Opera, etc.) can be manipulated to reduce or eliminate
indications of tampering to the end user– The proxy can be interposed in the network between the end user and server to which
they connect– The browser’s traffic can be routed to the proxy either by
• Proxy redirection, or• In-line network capture (transparent proxy
![Page 15: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/15.jpg)
© 2010 IBM Corporation15 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Means by which to make a decrypting proxy work within an Enterprise
Control of Endpoint, Control of Browser - Certificate Forging– Install Special “Root” Certificates in the browser– Re-write (forge) the Subject of the source Certificate into local “Root”– Sign re-written (forged) certificate with local private key– Present forged certificate to browser as real certificate
User notification - Ignore the man behind the curtain– Notify users of TLS proxy use, and to “click through” browser warnings of Certificate
mismatch (IP address, DNS address, etc.)
Almost Full Disclosure– Notify Users of TLS Proxy and for what purpose, Information Loss Preverntion,
Spyware/Antivirus, Application and Web Browser Threat Mitigation.
None of these address 3rd party rights (those of the provider of the target server) with respect to their expectation of privacy or confidentiality of transactions (Banks, commercial enterprise, government agencies, etc.)
![Page 16: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/16.jpg)
© 2010 IBM Corporation16 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
TLS Proxies - the Butcher, the Baker, the Candlestick MakerParties to TLS
User initiating a connection– Primary subject of communication– intends to interact with service - not third party - – expectation of privacy
Server responding to User– Primary object of communications– intends to interact with user - not third party– expectation of privacy
Proxy Owner– Third Party Monitor– who deploys decrypting proxy– delploys to protect itself
TLS Proxy supports requirements for third party monitors only, and in effect obviate those of the original participants - user and service, client and server.
TLS are implemented in communications between two parties specifically to ensure the confidentiality and integrity of the communication between them. TLS Proxies are implemented to deliberately supercede the requirements of the primary communicants. This is surveillance in its simplest form.
The deployer (third-party) of an TLS proxy implicitly asserts its rights and privileges over and against those of the party’s whose communication is now under surveillance. And unless it explicitly notifies both parties of its actions.
What of the party that operates the service?
![Page 17: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/17.jpg)
© 2010 IBM Corporation17 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Scenario One - Harold and His Concerns
Harold Saxon is the chief architect of a large commercial engineering firm. His firm produces highly confidential designs for industrial manufacturing facilities across the globe. The plans, designs, and specifications produced by the firm are both strategically and competitively sensitive.
Harold is concerned about unauthorized information leakage and attacks from the Internet to which his firms infrastructure may be vulnerable. He is aware that over 80% of potential web threats are executed over SSL or TLS encrypted sessions. Harold directs his IT organization to deploy decrypting web proxies to monitor and protect his infrastructure against threats targeted at obtaining commercial plans.
Harold’s governance board has implemented an opt-in/implicit block policy. This means that if one of the firm’s employees does not consent to their encrypted traffic being monitored, then the firm blocks access to those sites. In this way the firm’s objectives are achieved, with full knowledge and consent of the users who are the firms employees.
![Page 18: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/18.jpg)
© 2010 IBM Corporation18 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Scenario Two - Donna and Her Concerns
Donna Noble is the general manager for wealth management for an elite bank in Suffolk. She and her staff are responsible for the web applications, secured by TLS, by which the bank’s customers pay bills, check on account balances and deposits, and initiate fund transfers, and manage their investment portfolio.
Donna is concerned about the integrity of the communications between her customers and the bank. She has directed the deployment of TLS on all applications for her customers. She is unaware of the potential deployment by her customers’ employers of technology that would enable them to observe all aspects of her customers’ transactions who are also their employees.
If Donna knew that the communications between the bank and her customer’s were being monitored, and potentially captured or altered, would she care? If her customer approved of the communication being monitored, would that be sufficient for the bank?
![Page 19: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/19.jpg)
© 2010 IBM Corporation19 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Scenario Three - Martha and Her Concerns
Martha Jones represents the ministry of cyber security in prosperous Ubuntu, Northwest Africa. When agencies of his government suffer security breaches, Nelson deploys field staff to assess the situation, perform tests including penetration scans and other tools of vulnerability assessment, develop reports, and send them via an Web Application secured via TLS. They may actually log in to your site from anywhere on the internet.
Martha operates a fast information gathering operation when her team goes into action. Because of the sensitivity of the information they gather - all transmission between here field staff and her office are encrypted over TLS. Furthermore, because Martha understands the implications of decrypting web proxies, she deploys digital certificate based technology on all of her field applications to assure both the source and integrity of the information her staff collect and transmit.
![Page 20: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/20.jpg)
© 2010 IBM Corporation20 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
When Worlds Collide - conflict of objectives
Whereas Donna Noble has an expectation that TLS will provide the communications between her customers and the bank with a secure channel, she doesn’t not expect anyone, the government, her customer’s employer’s, or her customer’s neighborhood cyber café to be able to “snoop” on them.
Harold Saxon has suffered the online theft of documents critical to his and his customer’s business. This was due to a trojan, downloaded over TLS, by one of his employees while on a social networking site. The resulting damage to his firms reputation, and the increased insurance costs due to a large settlement to his former customer, have made lead him to purchase both anti-virus, intrusion prevention, and information loss protection technology along with and TLS proxy. He hopes together these will enable him to identify threats transmitted to his employees, and identify and block them or their actions before another breach is successful.
What are the implications to Donna Noble’s bank? How does the risk profile of he customers’ transactions change in the face potential online snooping by her customers’ employers? What are the risks that customers’ login credentials will be used fraudulently in the future? What Can Donna do to mitigate against downstream TLS proxy use - to block it and its effects to her business?
![Page 21: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/21.jpg)
© 2010 IBM Corporation21 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
For Information Servers: Obviating downstream TLS Proxies
The techniques described work only for server-side TLS, where the server only is authenticated to the client. They do not work in mutually authenticated TLS, where the server authenticates to the client, and vice versa. Attempts to proxy mutually authenticated TLS sessions will fail on the server side - thus protecting the integrity of communications between client and server.
Some institutions deploy technology in their user facing servers that is intended to detect downstream proxy insertion, but requires the user to interact with the server to “approve” the new configuration. In the case of a fully transparent TLS proxy deployment, the user may wonder why they’re being asked to (re-)configure a session with their bank - but absent other clear indicators or disclosure - they are likely to do so without another thought.
If the decrypting proxy is open about its function - it should use standard HTTP proxy headers, inserted into the HTTP stream to announce its use. At least in this case it couldn’t be accused of deliberately hiding its operation from upstream servers. This only works for “honest” proxies - those with nothing to hide.
![Page 22: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/22.jpg)
© 2010 IBM Corporation22 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Conclusions
The use of TLS proxies – breaks three properties of TLS sessions
• authentication• confidentiality• message integrity
– fundamentally changes the trust model of communication between parties– introduces a new actor, the third party proxy - which has full ability to ready, modify, and
retain information transmitted in both directions– and its operations are largely hidden from the server side, and can be largely minimized
if not completely made invisible to web clients.
In so doing each of these - it changes the fundamental assumptions of both clients and servers.
![Page 23: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/23.jpg)
© 2010 IBM Corporation23 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Benefits
The use of TLS proxies is seen as an effective means to address and bring to light web-based threats which operate today concealed in TLS traffic.
It provides a means to monitor and potentially block these threats in the network, at points of major traffic aggregation, rather than on each individual endpoint.
It can enable the use of widely available third-party anti-malware, information loss protection, and intrusion prevention technologies, plugged into the proxy.
It can enable the elimination of up to five times the number of threats seen today over un-encrypted traffic.
![Page 24: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/24.jpg)
© 2010 IBM Corporation24 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Caveats
The legal and ethical implications of the use of TLS proxies in business today are largely untested in some jurisdictions.
Adopters of decryption technology need to be aware of any business risk attendant to the technology’s use and with respect to
– their employees, and– those with whom their employees communicate, banks, social networks, business
partners, personal banks
It is probably worth considering the implications of proxying certain kinds of communications like on-line banking, in order to understand any potential liability that may arise.
![Page 25: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/25.jpg)
© 2010 IBM Corporation25 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
Recommendations
Disclosure– Full disclosure to end users that decrypting web proxies are in use is recommended in all cases– Notification alone may in some cases may be inadequate to fulfill local legal requirements. In these
cases a user’s explicit approval may be required.– The author is unaware of any legal cases concerning the commercial forgery of TLS certificates for
any reason. Commercial software that performs in-line certificate forgery is generally available and discussed on the web today.
– Vendors of TLS proxies should, at minimum, enable by default HTTP Proxy Headers in order to notify upstream servers that there are in use.
Recommendations– Except in the case of legally authorized criminal surveillance, disclose fully and widely to all parties
that TLS proxies are in use.– Provide simple mechanisms to disable proxy use to particular sites (on-line banking)– Provide opt-in policies to ordinary users.– Consider achieving protection goals through blocking of TLS transmission where user chooses not to
permit decryption.– Consider the risk impact to the organizations with whom your employees communicate. - and their
expectations of privacy.– Consult with your organization’s legal counsel before deploying decryption technology
![Page 26: CTO-CybersecurityForum-2010-RonWilliams](https://reader034.vdocument.in/reader034/viewer/2022051816/5471fb40b4af9fb90a8b4d65/html5/thumbnails/26.jpg)
© 2010 IBM Corporation26 Commonwealth Telecommunications Organization Cyber Security ForumApril 8, 2023
For further exploration and reference
IBM X-Force® threat and trend reports: http://www-935.ibm.com/services/us/iss/xforce/trendreports/
Open Web Application Security Project (OWASP) Top 10 Vulnerability Project: http://www.owasp.org/index.php/OWASP_Top_Ten_Project
Servers detecting downstream proxies: http://w-shadow.com/blog/2007/11/23/detect-users-accessing-your-site-via-a-proxy/
Online threats and vulnerabilites assessment and tracking: https://isc.sans.org/reports.html
SC Magazine: Black Hat: Breaking SSL network transactions: http://www.scmagazineus.com/black-hat-breaking-ssl-network-transactions/article/140941/
W-Shadow.com: Detect Users Accessing Your Site Via a Proxy: http://w-shadow.com/blog/2007/11/23/detect-users-accessing-your-site-via-a-proxy/