According to Google over 75% of public websites are accessed over encrypted connections using HTTPS, with the use of HTTP diminishing. As expected, the bad actors are following the crowds, and using HTTPS to hide their activities.
So how can security solutions such as ETP Threat Protector detect and block threats within HTTPS traffic? In short, the answer is a best practice implementation of a Trusted TLS Intermediary, enabling enterprises to proxy and decrypt TLS traffic for the purposes of detecting and blocking threats.
Trusted TLS Intermediary Approach
A basic approach for doing this is splitting an end-to-end encrypted Client-to-Origin TLS connection into two separate TLS connections: 1) Client-to-Proxy and 2) Proxy-to-Origin. Since Proxy does not have access to Origin’s TLS certificate private keys, it must present its own certificate, with the Subject field matching Origin’s certificate.
How would an organization’s computers know that this is not a man-in-the-middle (MITM) attack by a bad actor? Enterprises configure organizational computers to trust a special Enterprise Certificate Authority, and so that HTTP Proxy such as ETP Proxy can use that CA as root of the certificate chain for generating certificates representing origin servers. This way client computers will accept HTTP Proxy as a Trusted Intermediary, while blocking malicious man-in-the-middle attack attempts.
Trusted TLS Intermediary Threat Model
Much research has been conducted into threats of TLS inspection with middle boxes. TLS inspection requires a robust security architecture and rigorous security management, so that the confidentiality, integrity and authenticity characteristics provided by TLS/HTTPS are preserved.
Enterprise IT can shift many of the operational risks to Akamai by relying on the Akamai Cloud as an operated Trusted TLS Intermediary Service, all while being confident that best security practices around certificate management and TLS handling are implemented.
Attacker stealing CA private keys
Attacker compromising HTTP Proxy, can generate MITM certificates for popular web sites and use them to access on employee traffic
Attacker compromising HTTP Proxy, can steal already generated MITM certificates and use it outside of HTTP Proxy
Man-in-the-middle attack from Internet on Proxy to Origin
Enterprise IT watching employee personal browsing done from enterprise desktops
With all these mitigations in place, performing inspection of suspicious TLS traffic, is the right approach to protect the enterprise network from threats.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by John Neystadt. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/0vhKFW8ua2M/best-security-practices-for-trusted-tls-intermediary.html