SSL Sniffing – How Safe Is Your Information?

Some firewalls now have a new feature (or not so new), unbeknownst to most web users:  The little lock in your browser that shows that you are using a secure connection is not what it used to be.

When you make a secure connection to a web site, your bank for example, and you see the little lock appear, that is an indicator that your browser is connecting to and exchanging information with a server through a secure, certificate based channel.  Behind the scenes, some encryption keys are exchanged and the information that you are transmitting and that is being transmitted back to you is encrypted and not easily readable by others.  That perception of safety is the basis of all financial, as well as other, transactions on the Internet and you as the consumer believe when you see that lock, your information is safe.

There’s a lot that happens and can happen in between you and the server that you’re communicating with.  To illustrate what I’m talking about, here is a simplified diagram of a typical network configuration.  Using the example of a bank:


You can click the image above to enlarge it.  Your computer connects to your bank through firewalls.  The close firewall protects your network and the firewall on the bank’s end protects their network.  The is typically a certificate installed on the bank’s firewall and server that allow you to establish a secure connection to that server.

[ad#Google Adsense-1]

For the sake of clarity, we’ll consider the solid lines in the above diagram to represent secure communications between the end points.  In order for someone to compromise your information, they would need to break the encryption on the transmissions between your machine and the servers, which is not easily done.  In this situation, your information is relatively secure.  There are scenarios in which this can be broken but for simplicity’s sake, let’s just say that it is no easy feat to make that happen.

You can browse your secure information from home, from the office, and just about anywhere else you are with little fear of threat.

Enter the SSL sniffing firewalls.  Microsoft’s software firewall, Threat Management Gateway, along with some other hardware and software firewalls, now allow traffic to be inspected by the firewall and administrators.  In the case of Microsoft, they advise in their documentation, that anyone implementing an SSL sniffer advise the users when they attempt to browse to an SSL website.  To illustrate how your connection would be in this new formula I’ve included another simple diagram that builds off the one above.


Now to explain what you’re looking at in the diagram above.  It’s the same secure connection that you saw in the first diagram, with the exception of the fact that the firewalls can now inspect your information.  Your secure connection is actually only a secure connection the firewall.  The firewall can now decrypt your traffic, inspect it, log it, establish a connection to your bank, re-encrypt your traffic and send it on.  Since that firewall created the connection to your bank and not you, it can also decrypt all the responses that your bank sends you.

This is a little disconcerting because your traffic can be read without your knowledge.  SSL used to be a secure way to communicate but not so much anymore.  Considering that most systems that are compromised, are compromised from within the network and not from external to the network, your information may be viewed by anyone with access to the firewall or firewall server in the case of a software firewall like ISA Server.

All of this is only on your side, the sending side.  Your bank, or whatever other site you’re connecting to may decide to scan incoming traffic on their end.  That means that both end-points can be compromised, by design!

Pretty scary stuff.  Until published policies are out, and as long as these firewalls can decrypt your data before it gets to its destination, you may want to at least be aware of the fact that your secure information may have a ‘man in the middle’ somewhere along the path.  By the way, a ‘man in the middle’ attack means that instead of your computer of the server at the other end being compromised, someone has compromised a step along the way.  Like gaining an administrator’s account and password and logging directly onto the firewall.

Moral of the story, don’t necessarily be paranoid, but at least be aware and take care of your data.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s