A couple of years ago I was at a client’s site in Dubai. The client was an telco, and I was doing some security consulting for them. Like many countries in the Middle East, Dubai actively monitors data entering and leaving the country. Privacy laws as far as I could determine do not exist. All internet communications are actively monitored. It is quite common to suddenly see a web page pop up explaining in Arabic that the site you are trying to view is not authorized and you have been denied. Telcos there have spent millions of dollars on infrastructure in order to enforce these requirements. The design is not as complex as one might think, just resource intensive. Resources are required to process the data real-time and staff is required to maintain the infrastructure, look into events and other tasks. Telcos do this because it is required by law. You can not obtain a license as a Telco unless you have monitoring capabilities deployed.
My first day in Dubai, I went to lunch with one of the executives of the Telco. During our lunch, I asked him how they manage encrypted connections. He explained that they were currently getting ready to deploy a solution to solve that. The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required. Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available. Previously, I had seen software that law enforcement used for this purpose. I myself had done it for clients using available tools during a engagement. But these tools were designed more for targeted surveillance, not mass scale. Like all technology, it improves and gets less expensive over time I guess.
Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so. Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons. One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions. In order to look for data leakage, you need to see past any encryption that might be present. Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.
With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going. What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run. If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs. The net result is that everything is decrypted and no one has any privacy.
Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these
along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.
Do you deploy any type of decryption on your network? If it is deployed are you aware of it?
