HTTPS Scanning – Why It Should Be Enabled on Sophos
Encryption is a tricky topic. You hear about it regularly, people talk about it a lot, and yet its adoption still feels rather sluggish. With the “Let’s Encrypt” project, at least encrypted communication on the internet - between a website and a visitor - has received a major boost. Thanks to free SSL certificates, “Let’s Encrypt” aims to make encrypted connections the default.
In this blog post I’d like to show what it means for your Sophos Firewall when the majority of web traffic suddenly becomes encrypted.
The early days of “https://”
Let’s briefly jump back a few years and look at how the move towards “https://” on the internet unfolded. With Avanet we’ve experienced most of this era through announcements from Google. Please excuse the fact that the following short timeline is therefore rather “Google-heavy”.
- 2010 - Google encrypts search queries (BETA)
- 2011 - YouTube is encrypted by default
- 2013 - Edward Snowden says strong encryption is secure
- 2013 - (March) Google Search is now encrypted by default
- 2014 - Google prefers HTTPS sites and ranks them higher to encourage adoption
- 2015 - (03.12.2015) Let’s Encrypt enters open beta for everyone
- 2016 - (09.03.2016) Let’s Encrypt has already issued 1 million certificates
- 2016 - (13.04.2016) Let’s Encrypt ends its beta phase
- 2016 - (16.10.2016) HTTPS encryption on the web hits 50 percent for the first time
- 2017 - (24.10.2017) 71 of the 100 most visited websites rely on HTTPS
- 2018 - (February) 81 of the top 100 sites on the web use HTTPS by default
1.7 million certificates for more than 3.8 million websites.
From our perspective, Google has used its power as a search giant to push many webmasters towards equipping their sites with SSL certificates. Once it announced that encrypted connections would in future also affect a site’s search ranking, you were practically forced to deploy an SSL certificate. Thanks to Let’s Encrypt, this is now even possible free of charge.
*Of course we’ve tried Let’s Encrypt ourselves. This blog has been using a Let’s Encrypt certificate since January 2016.
Encryption and security
The chart above makes it very clear that encrypted websites are likely to become the standard in future. Which is a good thing, right? Yes and no. For a visitor, it’s obviously great when communication between their browser and the site is encrypted. This is especially important for online shops, where sensitive data has to be transmitted, and it clearly increases trust. For your firewall, however - which needs to inspect traffic to detect malware - this is unfortunately not ideal from a security perspective.
A “normal” firewall cannot inspect encrypted traffic.
Avoid flying blind with your Sophos
A SOPHOS firewall is not a “normal” firewall. 🙂 Many of you will know that the UTM has been able to scan SSL connections for quite some time. The prerequisite for this is, of course, a valid Web Protection licence.
However, we still see relatively few configurations where this feature is actually enabled. The downside is that all HTTPS traffic goes uninspected for malware, and botnet connections can pass through the UTM unnoticed. This applies to both UTM and XG. At this point, I can only recommend that you enable HTTPS scanning on your SOPHOS.
A real-world example
To wrap up, let’s take a quick look at how HTTPS traffic actually appears in the field. On one of our customers’ firewalls, for example, it looks like this:
As I manage quite a few firewalls, I can confirm that HTTPS traffic already predominates on some of them. Of course, this depends on the company and its browsing behaviour. Overall, though, I can say that HTTPS accounts for, on average, over 30% of traffic across all the firewalls we’ve examined. So without HTTPS scanning, almost one third of all traffic would pass through the firewall uninspected.
At a time when ransomware is hiding in JavaScript code on compromised websites, you really need to use every capability your firewall offers. Make sure you put the following points on your to-do list:
- Enable HTTPS scanning
- Use sandboxing (Sophos Sandstorm)
- Deploy antivirus with HIPS and Malicious Traffic Detection
- Provide thorough user training
Conclusion
Whereas it used to be rare for websites to have an SSL certificate, Let’s Encrypt now makes it incredibly easy - and free - to issue such a certificate for yourself. The statistics clearly show that in future we will be dealing almost exclusively with encrypted web traffic. We therefore strongly recommend enabling and configuring HTTPS scanning on your UTM or XG.
Time doesn’t stand still, and this is yet another good example of why a firewall cannot simply sit in a corner for five years without any changes. Regular maintenance and periodic reviews are absolutely essential if you want to be prepared for new threats.
