Saudi Ministry of Education to showcase innovations at 2025 Geneva International Exhibition    7,523 violators of residency, labor, and border security laws deported in a week    Video contradicts Israeli army account of deadly March 23 strike on Gaza paramedics    Saudi Arabia spends over $241 million to implement de-mining projects in 3 countries    Italy's Meloni government approves controversial security decree expanding police protections and penalties    Egypt submits new Gaza ceasefire and prisoner exchange proposal: Report    'Everything is possible' — Ronaldo focused on titles, not 1,000-goal milestone after Riyadh Derby win    Saudi, US military leaders discuss enhanced defense cooperation in Riyadh    King Salman Global Academy for Arabic Language launches program with Indiana University    Ronaldo brace powers Al Nassr past Al Hilal in Riyadh derby thriller    Ed Sheeran weaves Persian music into new song, Azizam    Al-Jadaan: Crown Prince's directives confirm government's ability to bring back balance to real estate market    Veteran Bollywood actor Manoj Kumar dies at 87    Foreign investors are allowed to engage in real estate business outside Makkah and Madinah Commercial speculation should not be the purpose of real estate transaction    Aubameyang fires Al Qadsiah into King's Cup final with stoppage-time winner over Al Raed    Musk's X is suing India, as Tesla and Starlink plan entry    Tesla sales plunge after backlash against Elon Musk    Danilo Pereira fires Al Ittihad into King's Cup final with dramatic stoppage-time double    Screen time in bed linked to insomnia, study finds    Mexico bans junk food in schools to fight childhood obesity epidemic    Sweet sales surge ahead of Eid as Saudi chocolate imports top 123 million kg in 2024    Bollywood actress vindicated over boyfriend's death after media hounding    Grand Mufti rules against posting prayers and preaching in mosques on social media    King Salman prays for peace and stability for Palestinians in Ramadan message King reaffirms Saudi Arabia's commitment to serving the Two Holy Mosques and pilgrims    Exotic Taif Roses Simulation Performed at Taif Rose Festival    Asian shares mixed Tuesday    Weather Forecast for Tuesday    Saudi Tourism Authority Participates in Arabian Travel Market Exhibition in Dubai    Minister of Industry Announces 50 Investment Opportunities Worth over SAR 96 Billion in Machinery, Equipment Sector    HRH Crown Prince Offers Condolences to Crown Prince of Kuwait on Death of Sheikh Fawaz Salman Abdullah Al-Ali Al-Malek Al-Sabah    HRH Crown Prince Congratulates Santiago Peña on Winning Presidential Election in Paraguay    SDAIA Launches 1st Phase of 'Elevate Program' to Train 1,000 Women on Data, AI    41 Saudi Citizens and 171 Others from Brotherly and Friendly Countries Arrive in Saudi Arabia from Sudan    Saudi Arabia Hosts 1st Meeting of Arab Authorities Controlling Medicines    General Directorate of Narcotics Control Foils Attempt to Smuggle over 5 Million Amphetamine Pills    NAVI Javelins Crowned as Champions of Women's Counter-Strike: Global Offensive (CS:GO) Competitions    Saudi Karate Team Wins Four Medals in World Youth League Championship    Third Edition of FIFA Forward Program Kicks off in Riyadh    Evacuated from Sudan, 187 Nationals from Several Countries Arrive in Jeddah    SPA Documents Thajjud Prayer at Prophet's Mosque in Madinah    SFDA Recommends to Test Blood Sugar at Home Two or Three Hours after Meals    SFDA Offers Various Recommendations for Safe Food Frying    SFDA Provides Five Tips for Using Home Blood Pressure Monitor    SFDA: Instant Soup Contains Large Amounts of Salt    Mawani: New shipping service to connect Jubail Commercial Port to 11 global ports    Custodian of the Two Holy Mosques Delivers Speech to Pilgrims, Citizens, Residents and Muslims around the World    Sheikh Al-Issa in Arafah's Sermon: Allaah Blessed You by Making It Easy for You to Carry out This Obligation. Thus, Ensure Following the Guidance of Your Prophet    Custodian of the Two Holy Mosques addresses citizens and all Muslims on the occasion of the Holy month of Ramadan    







Thank you for reporting!
This image will be automatically disabled when it gets reported by several people.



Organizations in KSA need to beware of SSL decryption solutions, says expert
Published in The Saudi Gazette on 07 - 12 - 2015

Secure Sockets Layer (SSL) is everywhere. Today, many of the most popular websites leverage encryption to keep data secure and private. On top of that, other applications such as email, instant messaging, and FTP use SSL or its successor TLS to encrypt traffic.
Need proof that SSL is ubiquitous? According to Sandvine, two thirds of Internet traffic will be encrypted by 2016. Glen Ogden, regional sales director, Middle East at A10 Networks said that when organizations start encrypting application traffic, they often encounter obstacles such as performance degradation on their application servers. Encryption has other, more serious, ramifications; it makes network security tools blind to application traffic. "Security solutions like next-generation firewalls, intrusion prevention, and advanced threat protection platforms cannot inspect packets and mitigate threats when traffic is encrypted."
To solve this issue, organizations can deploy SSL inspection platforms to decrypt SSL traffic and forward it to third-party security devices for analysis. For outbound traffic, organizations own the end points but not the SSL certificates and keys. An SSL inspection platform can decrypt traffic when configured as a transparent forward proxy or an explicit proxy.
Decrypting inbound traffic destined to internal application servers is different than decrypting outbound traffic because organizations own the SSL keys. There are two main ways to decrypt inbound SSL traffic sent to internal servers:
* Reverse proxy mode: SSL traffic is terminated on the SSL inspection devices and sent in clear text to inline or non-inline security devices. This mode is also referred to as "SSL Offload."
* Passive non-inline or inline mode: SSL traffic is decrypted using a copy of the server SSL keys. SSL traffic is not modified by the SSL inspection platform except — potentially — to block attacks.
In reverse proxy mode, the SSL inspection platform can potentially also accelerate SSL performance and load balance servers.
In passive non-inline mode, the SSL inspection platform can be installed transparently without needing to update network settings. However, in passive non-inline mode, organizations cannot easily block attacks. Although organizations may be able to send TCP resets from non-inline devices, this is a best-effort approach and will not effectively block all attacks, including single-packet attacks.
However, the biggest flaw with passive mode is that it does not support strong encryption methods like Perfect Forward Secrecy because the SSL inspection platform does not actively participate in the SSL key negotiation.
Why should you care about Perfect Forward Secrecy (PFS)? Many organizations are transitioning to PFS because:
PFS ensures that if an SSL key is compromised in the future, that criminals or government organizations cannot decrypt the data. Each session has its own unique key, so each individual session must be cracked — which is a nearly impossible task.
PFS mitigates many types of SSL vulnerabilities. For example, with the notorious Heartbleed bug, if an SSL private key is compromised, hackers cannot monitor and decrypt communications. This is because each SSL session is encrypted with a unique session key.
Leading SSL proponents like the Electronic Frontier Foundation (EFF) are urging application owners to switch to Perfect Forward Secrecy. And many organizations are heeding their call. Web properties such as Dropbox, Facebook, Google, LinkedIn, Microsoft Outlook.com, Twitter, Tumblr, Yahoo and more now use PFS. Unfortunately, organizations in Saudi Arabia that deploy an SSL inspection platform that only supports passive mode will be hamstrung — unable to implement strong security ciphers like Elliptic Curve Diffie Hellman Exchange (ECDHE) without breaking their SSL decryption architecture. SSL inspection platforms deployed in passive non-inline mode are a security epic fail. — SG


Clic here to read the story from its source.