HOW ENCRYPTION HAS MADE YOUR WEBSITES MORE (AND ALSO LESS) SECURE, AND WHAT TO DO ABOUT IT

onestro

Registered Member
Joined
Aug 13, 2021
Messages
64
Reaction score
21
Executive Summary

After almost three decades, the familiar padlock icon and “https://” prefix in web browsers — which indicate encrypted communications, mutual authentication, and advanced features support with the websites being visited — are finally showing up for nearly 100% of all website traffic.
Encryption makes your websites more secure, with respect to protecting the confidentiality / privacy and integrity of the data being sent over public networks.

Encryption also makes your websites less secure, because it also blocks your ability to see your website traffic — which increasingly includes malware, links to drive-by download sites, ad spyware, phishing attacks, cross-site scripting, and other ever-evolving threat categories.
To address this contemporary cybersecurity conundrum, leading cybersecurity solution providers have developed capabilities to inspect all encrypted website traffic without impacting your end user experience, and to detect and mitigate threats in website traffic while sustaining complex regulatory compliance requirements.
As of March 2024, the Google Transparency Report for encryption on the web shows that the percentage of website pages loaded over https in the Google Chrome web browser has reached nearly 100%.
For example: u Germany: 96% u France: 97% u United States: 98% In EU countries, this represents nearly threefold growth between 2015 and 2024.

How We (Finally) Got Here: Encryption Has Made Your Websites More Secure How time flies: Secure Sockets Layer (SSL 2.0), the first commercial encryption protocol designed to provide secure communications between websites and web browsers, was introduced in April 1995. Over the years, SSL was progressively evolved into the standards-based, interoperable Transport Layer Security (TLS) protocol of the present day — see the historical timeline below:

In the EMEA region, there are additional initiatives that have notably contributed to the adoption of encryption by website owners, such as: u The EU General Data Protection Regulation (GDPR), which “lays down rules relating to the protection of natural persons with regard to the processing of personal data” and “in particular their right to the protection of personal data.”
GDPR was passed in 2016, and specified two tiers of potential fines for non-compliance with enforcement starting from May 25, 2018.

The EU Cybersecurity Strategy, which “aims to build resilience to cyber threats and ensure that citizens and businesses benefit from trustworthy digital technologies.”
It was passed in 2021, and EU member states have until October 18, 2024 to incorporate its provisions into their respective national laws.

A primary research on GDPR confirmed that compliance requirements for data privacy and data protection have been strong drivers for positive changes with respect to the security of personal data / personally identifiable information (PII), including the organization’s: u Priorities u Resource allocation u Implementation strategies u Advanced technology adoption.
The primary research on GDPR confirmed that compliance requirements for data privacy and data protection have been strong drivers for positive changes in enterprise priorities, resource allocation, implementation strategies, and advanced technology adoption:
A net +58% of all respondents increased the priority given to improving the security of personal data / personally identifiable information (PII) u A net +56% of all respondents increased the resources allocated to the security of personal data / PII These drivers are consistent with the empirical data for the nearly threefold growth in the percentage of website pages loaded over https in the Google Chrome web browser in EU countries (such as Germany and France, as seen in Figure 3), between 2015 and 2024.

Encrypted channels can and do hide malware and other cybersecurity threats in your website traffic.
State of Encrypted Attacks Report; Aberdeen, April 2024 Make no mistake: taken across 360 billion transactions per day, 30 billion cybersecurity threats amounts to just 0.23%. So although the likelihood of a specific transaction resulting in a potential data breach, ransomware, business email compromise, or other adverse consequence is relatively small — the likelihood for any transaction to do so is very high, especially when it passes through your network without being seen.

So the risk from the ubiquity of Internet encryption protocols is high, and getting higher.
Geographically, countries that experience the greatest number of encrypted attacks include the US, UK, France, Germany, Poland, and Russia. As the percentage of encrypted website traffic increased, cybersecurity solution providers responded as always with a variety of technical approaches designed to overcome the encryption blind spot — each of which has corresponding challenges and tradeoffs.
These include:
1. Specialized appliances to decrypt, inspect, and re-encrypt website traffic.
2. Challenges include a negative impact on throughput, compliance-related considerations that Internet encryption protocols were implemented to address in the first place, additional complexities of managing encryption keys, and general complexities of integrating with a diverse and everchanging computing infrastructure.
3. Analysis of website traffic metadata for behavioral patterns that could indicate threats or indicators of compromise — even while payloads remain encrypted.
4. Challenges include complexities of configuration and fine-tuning alerts, and reintroduction of potential data privacy issues that encryption was

In the EMEA region, regulatory attention is starting to focus not only on capabilities to prevent cybersecurity attacks but also on capabilities to respond and recover if (when) they do in fact occur. For example, the European Central Bank (ECB) has initiated a “cyber resilience stress test” for the 109 banks that it supervises, starting in January 2024. In what is essentially a tabletop exercise, the ECB stress test assumes that a cyberattack “succeeds in disrupting the bank’s daily business operations. Banks will then test their response and recovery measures, including activating emergency procedures and contingency plans and restoring normal operations.” The ECB supervisors will then incorporate these findings as part of the regular supervisory review process with each bank.

Remote and hybrid workforce models:
Zero Trust principles - Cloud-based workloads, including public, private, and hybrid.
Preserve enterprise compliance with data privacy regulations such as GDPR
E.g., by acting in the capacity of a data processor, which refers to any entity that processes personal data on behalf of the data controller.
Finally, leading solution providers should also have a point of view about ways to address future developments in encryption, and their impact on your enterprise cybersecurity strategies.
Examples to consider asking about include:

Forward Secrecy (FS) or Perfect Forward Secrecy (PFS), which refers to the frequent and automatic replacement of encryption keys, to minimize the amount of data exposure if keys are accessed by unauthorized parties.
Post-Quantum Cryptography (PQC), which refers to emerging public-key encryption algorithms that are designed to be implemented today, while providing future protections against known threats from quantum computers. For example, see Apple’s February 2024 announcement on quantum-secure messaging.

Summary and Key Takeaways
Today, after almost three decades, the percentage of all website traffic using internet encryption protocols is approaching 100%.
At the same time, encrypted channels can and do hide malware and other cybersecurity threats in your website traffic. For example, publicly available empirical data shows that out of more than 360 billion daily transactions monitored by the Zscaler Zero Trust Exchange Platform in 2023:
- Nearly 30 billion cybersecurity threats were identified and blocked — the vast majority of which occurred over encrypted channels
- Preserve enterprise compliance with data privacy regulations such as GDPR, e.g., by acting in the capacity of a data processor, which refers to any entity that processes personal data on behalf of the data controller - Address future developments in encryption, such as Perfect Forward Secrecy (PFS) and Post-Quantum Cryptography (PQC)​
 
Please, next time you post, don´t fckn CENTER your text formatting.
 
Back
Top