Don’t Get Undone By The Wrongs Of Others
Why well-implemented Transport Layer Security is critical to enterprise security in the cloud era
The era when the vast majority of sensitive organizational data traveled over networks under corporate control has long passed. In today’s cloud-centric world, security professionals are acutely aware they must build security on the basis that much of their organizations’ information will routinely traverse networks which are fundamentally insecure. The rapid adoption of SaaS and the internet enablement of in-house applications means more and more data is exposed to the risks that these networks present.
This is not a new challenge. As Matthieu Bentot, Chief Technical Architect at Corrata put it in a recent post, “The problem always was, and remains, how to ensure the authenticity, confidentiality and integrity of communications, from end to end, at all time, for the whole device, over an inherently insecure network.” In this blog post, we will outline the critical role of Transport Layer Security, its vulnerabilities when poorly implemented and explain some steps to ensure you’re not undone when others get it wrong.
Vulnerabilities are not restricted to Wi-Fi networks
When we speak of insecure networks, the first thing that most of us think of is public Wi-Fi. And there are a number of reasons why Wi-Fi networks are particularly vulnerable. When you connect to a wireless hotspot which doesn’t require a password, you leave your data open to being intercepted as it travels through the air. Both the content of your unencrypted traffic and your browsing destinations are made visible to third parties. Such interception doesn’t require specialized hardware or advanced knowledge: many laptops have built-in wireless diagnostics tools which support sniffing Wi-Fi traffic in their vicinity.
However, even if you can’t have your traffic intercepted as it travels through the air, there are still multiple risks which impact any network, wired or wireless, that can be accessed by third parties. The most obvious is when our device is tricked into connecting not to the legitimate network but to a fake, rogue or compromised access point under the control of malicious actors.
The operators of coffee shops, restaurants, airports and libraries are not, in the first instance, concerned with security. Instead, they are concerned with providing a service which will make their locations more attractive to customers. In these circumstances, it is trivial for a malicious actor to introduce compromised equipment into the network. It can be as simple as placing a rogue access point in the location and then tricking users into connecting to the access point. And this is not as far-fetched as it seems: cybercriminals targeting you are not beyond visiting your local coffee shop.
But even if the infrastructure we are connecting to has not been compromised, the mere fact that we are sharing a network, wired or wireless, with third parties leaves us exposed. Networking tools can use promiscuous mode to capture traffic from devices connected to the same network segment. A technique known as ARP spoofing can redirect your traffic from its intended destination to one under the control of the bad guys. This latter technique can then be used to launch an Adversary-in-the-Middle attack.
In its classic form, the device traffic is redirected to an imposter site (say, when you are attempting to access email). The attacker can then capture critical data such as username, passwords and 2FA codes. More recently, we have seen such attacks capture authentication cookies by introducing a proxy between the device and the legitimate site.
But it’s not all bad news.
Today 81% of websites encrypt traffic using https. According to Google, 97% of Chrome traffic in the US was secured in this way. And Corrata’s internal statistics show these percentages are higher still for employee devices. So, we have successfully transitioned from an ear that relied on securing the network to one which relies on strong end-to-end encryption between endpoints.
Nonetheless, we need to take into account the ways in which Transport Layer Security (the protocol underlying https) can be compromised. The most obvious is the use of out-of-date or obsolete ciphers, cipher suites or underlying protocols that are no longer secure. Attackers can intercept such poorly encrypted traffic and, with relative ease, uncover its secrets. It’s the digital equivalent of hiding a key to your home under the welcome mat. This kind of poor cybersecurity hygiene is outside your control, and it can’t be taken for granted that all website operators are diligent.
A second area of concern is poor coding practice leading to sensitive data being sent over http rather than https. At Corrata, we have uncovered a number of examples where data is posted by mobile devices to websites in unencrypted form.
The third way in which TLS can be broken is via the Adversary-in-the-Middle attacks described above. Specifically, your device can be tricked into accepting a fake TLS certificate (the digital document which confirms that a website is authentic). Today most apps address this issue using a technique called ‘cert pinning.’ With cert pinning, the app itself will check that the cert presented by the website is precisely the one expected. However, cert pinning isn’t implemented by all apps and is almost impossible to implement in mobile browsers. For this reason, devices remain vulnerable to this type of attack.
What is to be done?
At Corrata, we’ve found that these risks can be addressed via a number of controls implemented by security software deployed on the mobile device.
Specifically, it is possible to check for sensitive transactions being sent without encryption and for websites that are using weak encryption and/or invalid certificates. When these circumstances are encountered, enterprise data is protected by blocking transmission to or from the device to the impacted domains. This approach aligns with the increasingly prevalent zero-trust architecture being adopted by many organizations.
Famously, Ronald Reagan, when negotiating with his Soviet counterparts, used the Russian proverb’ trust, but verify.’ Today this strikes us as an excellent summary of Corrata’s approach to the security of internet communications. Despite regular reports of the threat that quantum computing poses to the Transport Layer Security protocol, it will remain an absolutely foundational element of the internet security architecture for the foreseeable future. And one that we should continue to trust, but not blindly.