SSL Filtering Won't Increase Security

Overseas Security Advisory Council: "SSL Filtering Won't Increase Security
from eWeek on Friday, October 17, 2003

The genie of SSL filtering is out of the bottle. Even if the feature is eliminated, its capabilities can be duplicated.

If you use the Web, you use Secure Sockets Layer connections. SSL is the technology that secures your connection so you can safely submit your credit card number to online merchants such as Amazon.com. It makes it possible to securely use Web-based mail clients from kiosks or shared computers. It is also used to provide clientless VPN connections to company networks. And it has been broken.

Not by a virus or worm, or a newly discovered security hole, or a malicious hacker. SSL has been broken by well-intentioned security vendors trying to provide requested capabilities to their customers. Both the vendors and at least some of their customers see SSL as a potential hole in their firewall and security infrastructure. Because SSL is a secure and encrypted connection, it has been impossible to scan SSL connections for viruses or to apply content filters to the information that passes through an SSL connection.

So, to close this potential hole, security vendors such as Secure Computing and Webwasher recently have added a feature known as SSL filtering to their products. This feature works as a sort of virtual proxy between clients and SSL servers, decrypting and scanning SSL links before sending the information on.

This feature makes it possible to apply anti-virus scanning, firewall rules and content filtering to SSL connections. Unfortunately, it also makes it possible to scan and store all the information that employees and others within the network send to online merchants, including credit card numbers. If a visitor to the company uses the network to access a secure Web-mail client, it makes it possible to break this security and scan a user's mail.

If this sounds bad, imagine this technology being used by an ISP or, even worse, a repressive government. And if outraged employees and corporate visitors aren't good-enough reasons to think twice about deploying SSL filtering, think about this: SSL filtering may very well be illegal.

If online merchants such as Amazon. com found out that companies were using SSL filtering to break the secure connection they are providing to their customers, they probably wouldn't be very happy. And they could very well take action using the extremely broad federal DMCA (Digital Millennium Copyright Act) law. "