security-life

HTTPS-Scanning: Why it should be enabled on Sophos

Patrizio May 11, 2016

It’s one of those things about encryption. Don’t you also have the feeling that one hears something about it over and over again, even talks about it, but the spread is rather sluggish? With the project “Let’s Encrypt” at least the encrypted communication on the internet, between a website and a visitor, got a big boost! Thanks to free SSL certificates, “Let’s Encrypt” wants to make an encrypted connection the standard.

In this blog article, I would like to show you what this means for your Sophos firewall when the majority of web traffic is suddenly encrypted.

The beginnings of “https://”

Let’s go back a few years in history and have a look at the whole development towards “https://” on the internet. With the Avanet we experienced this time mostly with contributions from Google. So please excuse me that the following little timeline is also very Google-heavy.

2010 - Google encrypts search queries (BETA)
2011 - YouTube is encrypted by default
2013 - Edward Snowden says good encryption is secure
2013 - (March) Google search is now encrypted by default
2014 - Google prefers HTTPS pages and ranks them higher in order to attract users to switch.
2015 - (03.12.2015) Let’s Encrypt enters the open beta phase for everyone
2016 - (09.03.2016) Let’s Encrypt has already delivered 1 million certificates
2016 - (13.04.2016) Let’s Encrypt terminates beta phase.
2016 - (16.10.2016) HTTPS encryption on the web reaches 50 percent for the first time
2017 - (24.10.2017) 71 of the 100 most-visited Web sites use HTTPS
2018 - (February) 81 of the top 100 sites on the web use HTTPS by default

1.7 million certificates for more than 3.8 million websites.

From our point of view, Google, with its power as a search giant, has contributed to the fact that webmasters are increasingly equipping their websites with an SSL certificate. By stating that encrypted connections will also have an influence on the ranking of a website in the future, one is practically forced to create an SSL certificate. Thanks to Let’s Encrypt, this is now even free!

*Of course, we have tried “Let’s Encrypt” ourselves. Since January 2016 this blog is equipped with a Let’s Encrypt certificate.

Encryption and security

The previous graphic alone has already clearly shown that encrypted websites are likely to become standard in the future. It’s a good thing, isn’t it? Yes and no. Of course, this is great for a visitor if the communication between him and the visited website is encrypted. Especially in online shops, where sensitive data has to be transmitted, this naturally creates additional trust. Unfortunately, for your firewall, which wants to scan the traffic to detect malware, this is not ideal from a security point of view.

A “normal” firewall cannot scan encrypted traffic.

Avoid the blind flight of your Sophos

All right, a SOPHOS Firewall is not a “normal” firewall. :-) Therefore, some people will probably know that the UTM has been able to scan SSL connections for a long time. Of course, a valid license for Web Protection is required.

However, we still encounter comparatively few configurations where the feature has been activated. The disadvantage is that the entire HTTPS traffic is not checked for malware and botnet connections run through the UTM. This applies to both the UTM and XG. At this point I can only recommend to activate HTTPS-Scanning on your SOPHOS.

Example based on real-life experience

Finally, let’s have a look at how the HTTPS-Traffic works in practice. For example, one of our customer firewalls looks like this:

Since I am already managing some firewalls, I can confirm that some of the HTTPS traffic is already predominant. This depends of course on the company and its surfing behaviour. In summary, I can say that HTTPS traffic on all our tested firewalls averages over 30%. This means that without HTTPS scanning, almost 1/3 of traffic would pass through the firewall unscanned.

In these days when Ransomware is hidden in JavaScript code from hacked websites, you just have to pull out all the stops of your firewall. So make sure you put the following items on your todo list:

Enable HTTPS scanning
Using sandboxing (Sophos Sandstorm)
Using Antivirus with HIPS and Malicious Traffic Detection
User training in detail

Conclusion

While it used to be a rarity that websites were equipped with an SSL certificate, thanks to Let’s Encrypt it is very easy and free to create one yourself. The statistics clearly show that there will probably only be encrypted web traffic in the future. We therefore strongly recommend that you activate and set up HTTPS scanning on the UTM or XG.

Time doesn’t stand still and especially in this case it proves that a firewall can’t just stand in the corner for 5 years without changing anything. Regular maintenance and occasional reviews are absolutely mandatory to be ready for new threats.