Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/19/2014
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Internet Architecture Board Calls For Net Encryption By Default

The Internet Architecture Board (IAB) urges encryption across the protocol stack to usher in an era where encrypted traffic is the norm. But there are possible security tradeoffs.

The Internet Architecture Board (IAB) is calling for encryption to become the norm across the Internet in a move to lock down the privacy and security of information exchange.

"The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic," IAB chairman Russ Housley wrote late last week in the IAB Statement on Internet Confidentiality. "Newly designed protocols should prefer encryption to cleartext operation."

Housley's declaration signaled a major strategic move for the Internet. The IAB, which oversees the Internet's architecture, protocol, and standards efforts, is now encouraging a new era of Internet protocols -- as well as products and services -- that are created with security in mind, security experts say. "We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected," Housley wrote.

Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow for the Brookings Institution, says the IAB's stance "represents the progression of trying to introduce some real security into the [Internet] standards-making process."

This is obviously not the Internet architecture community's first effort to secure the core Internet protocols and infrastructure better. The Internet Engineering Task Force (IETF) has issued security protocol specifications such as Transport Layer Service (TLS), DNSSEC, and the next-generation IP protocol, IPv6, which includes the IPSec encryption protocol, for example. This wasn't the IAB's first proclamation about encryption, either. In 1996, it issued RFC 1984, which basically covered the need for encryption to protect users' private information. "Since that time, we have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known," Housley said in the recent IAB statement.

Calls for more widespread encryption have intensified in the wake of the leak of controversial NSA spying programs by former NSA contractor Edward Snowden, and the IAB's position coincides with a wave of more mainstream encryption acceptance. Yesterday the Electronic Frontier Foundation (EFF) announced Let's Encrypt, a project in which the EFF has teamed up with Mozilla, Cisco, and Akamai via a nonprofit to help roll out free HTTPS server certificates and make encrypting web traffic easier. And the maker of the widely adopted WhatsApp messaging app plans to provide end-to-end encryption by default.

Privacy advocates and security experts welcome the renewed emphasis on encryption, but there are potential security tradeoffs when enterprises adopt encryption. Monitoring and scanning for malicious activity can be challenging when enterprise traffic is encrypted.

"Encryption is always better," Bejtlich says. "But with my monitoring hat on, encryption can be difficult. If you're trying to monitor an encrypted resource, you can't quite see what's happening."

Unintended consequences
Security vendor Blue Coat warns that attackers could wage relatively simple malware attacks under the cloak of encrypted connections and steal information without the victim organization able to detect it. Attackers can wage a combination of temporary websites with encryption to steal information via SSL connections.

Encryption is key to securing the Internet, according to Hugh Thompson, chief security strategist for Blue Coat, which published a report about this "visibility void" yesterday. "But there are consequences: If you think about the security infrastructure [enterprises] have built up over the last 10 years, network antivirus, data leakage prevention, scanning network traffic... When you suddenly encrypt that traffic, these tools cannot operate on an encrypted network," he says. "The side effect is a growing [blind spot] to malicious traffic going through those channels."

But businesses don't have to trade privacy for security or vice versa, he says. It's a matter of establishing policy-based encryption, decrypting only some traffic that needs security scanning. "Not personal banking, not healthcare information. You don't want to interfere with personal interactions on the web."

Encryption, meanwhile, is on the rise in organizations. Thompson estimates that 10% of traffic volume at a typical business was encrypted 2-3 years ago. Now it's closer to 40%, much of that thanks to the top websites -- such as Google, Amazon, and Facebook -- operating with HTTPS by default today.

The bad guys also are capitalizing on encryption. Gartner predicts that, by 2017, more than half of all cyberattacks will use some form of encryption to sneak malicious traffic by security systems.

Housley addressed the challenges full-scale encryption poses for security monitoring. He wrote that the IAB will help promote the development of balancing enterprise security and more secure and private Internet communications.

"We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload," Housley wrote in the IAB statement. "For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/24/2014 | 10:32:46 AM
Re: Encryption: A benefit as well as detriment
This does seem like a radical change that will pose some serious implementation  issues for many security teams. But the Gartner prediction -- if true -- that, by 2017, more than half of all cyberattacks will use some form of encryption to sneak malicious traffic by security systems -- is pretty scary.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/21/2014 | 2:35:24 PM
Re: Encryption: A benefit as well as detriment
Nothing is scarier than knowing that you do not know what data is flowing through your network. Implementation of this within an internal private network should only come after security related products have been developed that take this into account. This would probably also mean that existing products will be forklifted to make room for the new ones - a very expensive undertaking.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
11/21/2014 | 2:06:52 PM
Re: Encryption is our friend, not so fast
Yes, @DrT. That's what this story talks about as the tradeoff. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/21/2014 | 8:11:34 AM
No win situationtre
This does seem like a damned if you do and damned if you don't situation. But given the trends outlined in the article, to do nothing seems to be the worst-case scenario..
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/20/2014 | 10:35:10 AM
Re: Encryption: A benefit as well as detriment
Agreed. Maybe I should have phrased "as well as a detriment" in a hesitant questionesque manner. But visiblity may be difficult because encryption methodologies seek specifically to limit the scope of unathorized visibility. As posed before, would the pervasive detection tools now be able to see through the encryption? Because as stated in the article if they cant, changes/modifications can be made without knowledge of the enterprise security initiative.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/20/2014 | 10:29:38 AM
Re: Encryption: A benefit as well as detriment
Encryption can be fast enough and minimal impact on the network and systems, the main problem is the visibility. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/20/2014 | 10:28:21 AM
Re: x.509 Galore
Public-private pair is the way to go. You have to have something you do not share with anyone but yourself. If more than two people know it, does not matter how many certificate we have.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/20/2014 | 10:25:40 AM
Encryption is our friend, not so fast
I would love to see encryption across the board in and out of the networks. There is one single problem: visibility. You know you encrypted everything and you do not know what is flowing in your network that would not mean you are secure. The tools that are required to monitor the network should also be encryption-aware for this to succeed.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/20/2014 | 8:54:49 AM
Encryption: A benefit as well as detriment
Thats terrifying that the increase of encryption throughout the stack will cause a growing blindspot within organizations. Are the pervasive scans currently being leveraged through IDS/IPS and MSSP's not able to break through the encryption to depict events efficiently today? Or is the obfuscation referenced here due to strictly human correlated data audits?
macker490
50%
50%
macker490,
User Rank: Ninja
11/20/2014 | 8:14:47 AM
x.509 Galore
Once just about everyone has an x.509 certificate ( we are close now ) -- just about everything you look at will appear to be valid.

this is a problem on the net NOW as people really don't know, from day to day what a site is suppose to look like -- nor x.509 identifications.

until people take up the practice of validatating and signing x.509 certificates the problem will remain: we don't know who to trust.

the deluge of x.509 certificates that your browser dumps on you should all be flagged MARGINAL TRUST

to get Full Trust you need to check the fingerprint on the certificate with a reliable source and then sign the certificate using your copy of PGP/Desktop or GnuPG

reliable source: I recommend your local Credit Union.   A co-operative would need to be set up.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21360
PUBLISHED: 2021-03-09
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic ...
CVE-2021-21361
PUBLISHED: 2021-03-09
The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixed...
CVE-2021-24033
PUBLISHED: 2021-03-09
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoke...
CVE-2021-21510
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
CVE-2020-27575
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.