TechTronBlog.com

Technology, Innovation, Collaboration
Menu
  • Features
  • Gadget
  • Mobile
  • Uncategorized

Daily Tech Updates Sent to your Email

Join our Newsletter
Home
Features
Report: Two new encryption standards will soon sweep away security controls
Features

Report: Two new encryption standards will soon sweep away security controls

August 17, 2020

Security professionals must act before TLS 1.3 and DNS-over-HTTPS (DoH) are implemented or they won’t be able to analyze network traffic and detect cyberthreats, warns Forrester Research.

” data-credit=”Getty Images/iStockphoto” rel=”noopener noreferrer nofollow”>istock-678852044.jpg

Getty Images/iStockphoto

Transport layer security (TLS) and DNS, two of the foundational protocols of the internet, have recently undergone radical changes to protect browser user privacy. At the same time, they will reduce security on-premises in the short term, and security professionals must put tools in place in the next couple of years, a new report from Forrester Research states.


“While [the protocols] hide user activity from the searching eyes of nation-states and ISPs, they also hide valuable metadata from enterprise network inspection tools,” according to Forrester Research’s senior analyst, David Homes. “As these changes gain momentum, security monitoring tools will be blinded to the contents and destination of traffic and unable to detect threats. The network will be darker than it’s ever been.”

Privacy activists have gone up against the government surveillance community advocating for encryption and have been working within the Internet Engineering Task Force (IETF) to provide countermeasures against eavesdropping and data collection, Holmes wrote. The latest version, TLS 1.3, and encryption of the domain name system are the results of their most recent efforts.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

But these changes have stirred controversy, he said, because:

  • The financial services community has invested heavily in passive decryption, because regulation prohibits unencrypted data, even on their internal networks. The privacy activists engineered TLS 1.3 to require “forward secrecy,” making it incompatible with the security inspection architectures of large financial services.

  • TLS 1.3 encrypts server certificates, meaning security teams can no longer apply network policies that prevent users from visiting sites with unsafe certificates, including those that are expired, revoked, or self-signed.

  • DNS-over-HTTPS removes IT control. Privacy activists see the current domain name system as a significant privacy leak and have proposed encrypting DNS-over-HTTPS to fix it. Browsers and content delivery networks (CDNs) adopted it as quickly as they could, even over the protests of many detractors. One of the most vocal opponents, Holmes wrote, is Paul Vixie, the godfather of DNS.

The report stresses that security professionals should be aware of the coming changes. “Many security tools such as enterprise firewalls, secure web gateways, and cloud access security brokers (CASBs) block users from going to known-bad websites by examining three key pieces of metadata in the encrypted traffic,” Holmes wrote. Three metadata will be disappearing from network traffic soon: the user’s DNS request, the target’s SSL certificate, and the Server Name Indication SNI.

“Most Forrester security and risk clients are monitoring their users to protect them, not exploit them, and these changes make their lives more difficult,” the report said.

Call to action

Security and risk professionals can’t control browsers or the internet, but they’re still responsible for securing the environment, Holmes wrote. While the evolutions of TLS 1.3, encrypted domain name system (DNS), and encrypted server name indicator (SNI) are recent and right now the adoption rates are modest, security pros shouldn’t delay their preparations. 

They have two years to put key capabilities in place, he said.

“As TLS 1.3 and DNS-over-HTTPS gain momentum, teams need to plan now to augment their inspection programs,” Holmes wrote. “Explicitly lay out a visibility upgrade program or piggyback it onto a larger effort like network modernization or digital transformation. Within the larger effort, incorporate tactical approaches to recapture network metadata and lost decryption capabilities.”

Only about one in four internet web properties currently offers TLS 1.3.7, Holmes wrote, citing Qualys Labs SSL Pulse data. “However, security pros should expect TLS 1.3 adoption outside of the megasites to increase by 10% per year.”

SEE: Why multi-factor authentication should be set up for all your services and devices (TechRepublic)

DNS-over-HTTPS is already supported by all major browsers and Microsoft’s Active Directory, Holmes said. Today, only Firefox enables it by default, and within two years, most modern browsers will as well, he said.

As TLS 1.3 and DNS-over-HTTPS become prevalent in the enterprise network and within public and private clouds, security professionals need to take several steps, including creating full-proxy inspection zones for inbound traffic, whether on-premises or in the cloud, Holmes wrote.

They must also augment their networking monitoring with machine learning applied to the network metadata that remains, Holmes said.

They must also take back control of DNS, which he termed “the redheaded stepchild of IT: Operations hates running it, security doesn’t want it, and the one person who understands it is probably retiring any day now.”

Organizations will have to deploy a hybrid system that captures domain requests over DNS-over-HTTPS with on-premises systems, he said.







Cybersecurity Insider Newsletter


Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays




Sign up today




Also see


Share
Tweet
Email
Prev Article
Next Article

Related Articles

https://www.techrepublic.com/article/future-of-farming-ai-enabled-harvest-robot-flexes-new-dexterity-skills/#ftag=RSS56d97e7

Future of farming: AI-enabled harvest robot flexes new dexterity skills

https://www.techrepublic.com/article/were-giving-away-600-to-spend-at-best-buy/#ftag=RSS56d97e7

We’re giving away $600 to spend at Best Buy*

About The Author

Leave a Reply

Cancel reply

Recent Posts

  • New tech and gadgets you absolutely can’t miss
  • Razer Pro Click ergonomic wireless mouse maximizes your productivity
  • Lume Cube Panel Mini Bicolor LED Light provides on-the-go lighting for photographers
  • LINKA LEO GPS Smart Bike Lock can track your bicycle’s movements in more than 100 countries
  • Razer Pro Glide soft mouse mat cushions your hand during use

Recent Comments

    Archives

    • August 2020

    Categories

    • Features
    • Gadget
    • Mobile
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    TechTronBlog.com

    Technology, Innovation, Collaboration
    Copyright © 2021 TechTronBlog.com
    Theme by MyThemeShop.com

    Ad Blocker Detected

    Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

    Refresh