It’s been over 20 years since the earliest versions of the Secure Socket Layer (SSL) protocol emerged from a team of engineers at Netscape Communications. As the Internet and more specifically the World Wide Web began its precipitous climb in the early 1990’s these engineers recognized that to drive deeper interactions online, a standard for securing communications would need to be widely adopted.
As is always the trend, mass adoption of certain technologies is followed closely by efforts to exploit its wide use through a number of security threats. SSL is no exception to this rule, and has experienced a large number of highly publicized vulnerabilities that force users to move to new, more secure versions and ultimately a replacement protocol such as Transport Layer Security (TLS).
However, exploits of newly identified vulnerabilities are not the only way that SSL adoption is being used as a weapon in the hands of malicious attackers and adversaries behind cyber threats. SSL is increasingly being used to mask and further complicate attack traffic detection in both networkand application level threats.
The Information Technology universe that leverages SSL got a major wake-up call in April 2014 with the disclosure of the Heartbleed vulnerability associated with OpenSSL implementations.
Some other major SSL vulnerabilities that have emerged over the years include the long standing (and still impactful) RC4 vulnerability originally discovered in 2002, and the more recent POODLE vulnerability that exploits some software logic to failback to SSL 3.0 (exposing other known vulnerabilities).
These SSL vulnerabilities are not directly related to the SSL DDoS and advanced web application attacks described earlier. However, these vulnerabilities can cause a distraction from addressing broader non-vulnerability based attack weaknesses, and highlight the tendency towards exploitation of broadly adopted technologies.
Despite some high profile security issues, SSL (and TLS) remain the standards for ensuring secure communications and commerce on the web, and has seen dramatic growth in recent years. When SSL was conceivedand introduced, a relatively small number of businesses had websites, and even fewer were managing commerce or critical aspects of business operations online. Today, most businesses of reasonable size have an active website to drive consumer engagement and at a minimum, properly secure communications (if not transactions) through its website.
According to Netcraft, the use of SSL by the top one million websites has increased by 48% over the past two years. As more and more sites add SSL or TLS capabilities, user adoption in turn also increases.
Email services and the threat looming large…
For many years, it was recommended to implement SSL to support e-commerce sites or any credit card transactions. Those limitations have gone away with the growth of other purposes for secure communications. One area of dramatic growth is encrypted email services.
A recent series of attacks highlighted how providers of encrypted service can become targets for encrypted attacks. ProtonMail is a leading provider of encrypted email services, providing a secure means of communication to over 500,000 users. In November 2015, ProtonMail was targeted with a series of advanced DDoS attacks that included volumetric attacks over 100 Gbps as well as application layer attacks. The attacks also included multiple encrypted attack vectors including SSL SYN flood attacks that required advanced behavioural analysis to identify malicious traffic and maintain legitimate encrypted traffic flows.
Protection from SSL Attack
SSL attacks are becoming more popular among attackers as it only requires a small number of packets to cause denial of service for a fairly large service. Attackers launch attacks that use SSL because each SSL session handshake consumes 15 times more resources from the server side than from the client side, meaning the attack has exponentially increased in size without requiring additional bots or bandwidth. As a result of these amplification effects, a single standard home PC can take down an entire SSL-based web server, while several computers can take down a complete farm of large, secured online services.
The unfortunate reality is that the majority of DDoS attack protection solutions only provide protection for certain types of attacks, and in many cases struggle with SSL attacks. The bottom line is that to provide effective protection, solutions need to delivery full attack vector coverage (including SSL), high scalability to meet the growing demands of the consumer, and innovative ways to minimize if not eliminate these threats.
Many solutions that can do some level of decryption tend to rely on rate limiting the rate of request, which results in dropped legitimate traffic and effectively completes the attack. Finally, many solutions require the customer to share actual server certificates, which complicates implementation, certificate management and forces customers to share private keys for protection in the cloud.