HTTPS, the new Trojan horse of cybercriminals

By combining HTTP with an encryption system like SSL or TLS, HTTPS guarantees visitors to a website that the site is reliable and complies with the rules of confidentiality. Yet, its rapid rise is attracting an increasing number of cybercriminals.

According to the Gartner Predicts 2017 survey, by 2019, 80% of all companies' traffic on the web will be encrypted. “A growing number of malware attacks will switch to HTTPS to hide the initial infection,” the consulting firm points out.

A growing number of malware attacks will switch to HTTPS to hide the initial infection

Gartner Predicts 2017 survey

Which means that, despite its name, Hypertext Transfer Protocol Secure (HTTPS) could quickly become a Trojan horse. A contradiction in terms for a supposedly safe technique. A little padlock symbol before the URL of a website certifies the authentication of the web application, guarantees the confidentiality and integrity of transmitted data, and checks the identity of the visitor or customer.

The price of success

The protocol aims to become the standard for securing flows on the Web, particularly in e-commerce. The phenomenon picked up speed when Google simply imposed it on websites that wanted to improve their referencing. Since January 2017, Google Chrome, the leading browser on the market, has been flagging HTTP pages as “not secure”. According to the certification authority Let’s Encrypt, 65% of all Web pages downloaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of 2016.

But HTTPS seems to have fallen victim to its own success. In fact, the increase in traffic via the protocol also has a down side: cybercriminals too are benefiting from the protocol to hide their ill intentions. At the end of 2017, one quarter of all phishing attacks were hosted on HTTPS domains, as opposed to less than 3% in 2016. Statistically speaking, the upsurge in HTTPS websites also draws in its wake an increase in phishing sites, aimed at stealing visitors’ logins, passwords and bankcard numbers.

Need it be said that the encryption of data in transit does not guarantee the security of the website itself? Phishers exploit this misconception among the general public. Many of them today host their phishing actions on domains that they themselves have registered in order to obtain valid certification. By giving their phishing sites a reassuring appearance to the eyes of potential victims, they considerably increase the efficacy of their criminal enterprise.

So if HTTPS is not protection enough, what is?

The deceitfulness of cybercriminals makes it more important than ever to make HTTPS more secure. Solutions exist, starting with new versions of UTM devices, new-generation firewalls (NGFW), proxies and security pages that decrypt and re-encrypt HTTPS without jeopardising the confidentiality of users’ data.

One can simply rely on analyses without decryption or use the technique of IP reputation [list of suspect addresses], particularly for the bulk of traffic on known, secure websites, but it will always be only partly efficient,” Boris Maréchal, Network Security product leader at Stormshield points out. “For high-risk sites, it is preferable to use analyses with decryption that are better able to detect attacks.

But this procedure, which can be heavy on processing resources, assumes that the device decrypts the data to check them, before re-encrypting them. This could slow down traffic, especially if several security layers (IPS, antivirus, CC detection, etc.) have been installed. Here again, next-generation solutions can help. New UTM devices and the latest generation of firewalls, of which the security layers work together on the same equipment and therefore require only one decryption, are to be preferred. But it is important to check their size to know if the extra load can be supported.

Device protection, a vital measure

All such measures can only work if network extremities are protected too, starting with devices which, once contaminated, can become a weapon that backfires on the administrator. “In addition to network analysis, it is worth deploying Endpoint solutions on stations that receive and send data. Unlike anti-viruses, which can only detect known threats, our Endpoint solutions use a behavioural approach to block Zero-Day threats,” says Stormshield Endpoint Security product leader, Adrien Brochot.

Share on

With its range of new-generation firewalls, the Stormshield Network Security solution analyses and blocks traffic from sites that have been detected and recognised as being high-risk.
To secure even obsolete workstations, our Stormshield Endpoint Security solution monitors and blocks suspicious behaviour from programmes and software in real time.

About the author

mm
Marco Genovese
Stormshield Network Security Product Manager, Stormshield

Marco Genovese was born in Asti, Italy, a town better known for its great wine than for IT infrastructures. After a non-profit experience aiming to bring the Internet to the people – in 1994 – Marco went to study Computer Science and later collaborated with various companies in the security sector. He joined Netasq in 2008 as an International Pre-sales and, after several years, decided to combine quality of life and access to IT infrastructures by moving to Paris. He has been Product Manager for Stormshield Network Security since November 2016.