HTTPS scanning – why it should be enabled on Sophos

Encryption is one of those things. Don’t you have the feeling that you hear about it again and again, even talk about it, but the spread is rather slow? With the “Let’s Encrypt” project, at least encrypted communication on the Internet, between a website and a visitor, has received a strong boost! Thanks to free SSL certificates, “Let’s Encrypt” wants to make an encrypted connection the standard.

In this blog article, I want to show what this means for your Sophos Firewall when suddenly the majority of web traffic is encrypted.

Beginnings of “https://

Let’s go back in history a few years and take a look at how the whole development towards “https://” on the Internet looked like. With Avanet, we have experienced this time with contributions from Google for the majority of the time. So please excuse that the following small timeline also turns out very “Google-heavy”.

• 2010 – Google encrypts search queries (BETA)
• 2011 – YouTube becomes encrypted by default
• 2013 – Edward Snowden says good encryption is secure
• 2013 – (March) Google search is now encrypted by default.
• 2014 – Google favors HTTPS pages and ranks them higher to entice users to switch.
• 2015 – (03.12.2015) Let’s Encrypt enters the open beta phase for all
• 2016 – (09.03.2016) Let’s Encrypt has already issued 1 million certificates
• 2016 – (13.04.2016) Let’s Encrypt ends beta phase.
• 2016 – (16.10.2016) HTTPS encryption on the web reaches 50 percent for the first time
• 2017 – (10/24/2017) 71 of the 100 most visited websites rely on HTTPS.
• 2018 – (February) 81 of the top 100 sites on the web use HTTPS by default.

1.7 million certificates for more than 3.8 million websites.

From our point of view, Google, with its power as a search giant, has contributed quite a bit to the fact that webmasters are increasingly equipping their websites with an SSL certificate. Due to their statement that encrypted connections will also have an influence on the ranking of a website in the future, one is virtually forced to create an SSL certificate. Thanks to Let’s Encrypt, this is now even possible for free!

*Of course, we have already tried “Let’s Encrypt” ourselves. Since January 2016 this blog is equipped with a Let’s Encrypt certificate.

Encryption and security

The previous graphic alone clearly showed that encrypted websites are likely to become standard in the future. Actually, that’s a good thing, right? Yes and no. For a visitor this is of course great if the communication between him and the called website is encrypted. Especially in online stores, where sensitive data has to be transmitted, this naturally creates additional trust. Unfortunately, for your firewall, which wants to scan the traffic to detect malware, this is not so ideal from a security point of view.

A “normal” firewall cannot scan encrypted traffic.

Avoid flying blind with your Sophos

Well, a SOPHOS firewall is not a “normal” firewall. 🙂 Therefore, some will probably also know that the UTM has been able to scan SSL connections for some time. The prerequisite is, of course, a valid license for Web Protection.

However, we still encounter comparatively few configurations where the feature has also been enabled. The disadvantage is thus that all HTTPS traffic is not checked for malware and botnet connections also pass through the UTM unnoticed. This applies to both the UTM and the XG. So at this point I can only recommend to enable HTTPS scanning on your SOPHOS.

Example from practice

Finally, let’s take a quick look at how HTTPS traffic looks in practice. For example, one of our customer firewalls looks like this:

Since I already manage a few firewalls, I can confirm that HTTPS traffic does indeed already predominate for some. Of course, this depends on the company and their surfing behavior. In summary, however, I can say that HTTPS traffic, on all of our tested firewalls, averages over 30%. This means that without HTTPS scanning, almost 1/3 of the traffic would pass through the firewall unscanned.

In times when ransomware hides in JavaScript code of hacked websites, you simply have to pull out all the stops of your firewall. So make sure you put the following items on your to-do list:

• Enable HTTPS scanning
• Use sandboxing (Sophos Sandstorm)
• Deploy antivirus with HIPS and malicious traffic detection
• Train users in detail

Conclusion

While it used to be a rarity for websites to come with an SSL certificate, thanks to Let’s Encrypt it’s super easy and first of all free to issue yourself such a certificate. The statistics clearly show that in the future there will probably only be encrypted web traffic. We therefore strongly recommend enabling and setting up HTTPS scanning on the UTM or XG.

Time doesn’t stand still and just here it shows again wonderfully that a firewall can’t just stand in the corner for 5 years without changing anything. Regular maintenance and occasional reviews are absolutely mandatory to be ready for new threats.