Raise your hand if you’re using any or all of these technologies:
- NGFW
- IPS/IDS
- URL Filter
- Antivirus
- DLP
- Sandbox
- VPN
- DDoS Mitigation
Pretty much all of us, right? Now raise your hand if you are decrypting SSL/TLS outbound.
While HTTP/2 doesn’t require SSL/TLS, it will use it by default if it is available. Oh by the way, all modern browsers have supported HTTP/2 since January of 2016. Factor in the efforts of Let’s Encrypt, the adoption of SSL/TLS has skyrocketed in the past few years and will continue to grow. Hell, even this shitty blog is using TLS 🙂 If you aren’t decrypting SSL/TLS you have to ask yourself, what good is my NGFW, IPS, Antivirus, etc if I am completely blind to it? The answer is simple, it isn’t good, in fact it’s terrible. You are bound by the constraints of legacy security, source/destination and ports. It’s like locking a screen door. It will keep the flies out but it won’t stop any real threats.