Security professionals must act before TLS 1.3 and DNS-over-HTTPS (DoH) are implemented or they won’t be able to analyze network traffic and detect cyberthreats, warns Forrester Research.
Transport layer security (TLS) and DNS, two of the foundational protocols of the internet, have recently undergone radical changes to protect browser user privacy. At the same time, they will reduce security on-premises in the short term, and security professionals must put tools in place in the next couple of years, a new report from Forrester Research states.
“While [the protocols] hide user activity from the searching eyes of nation-states and ISPs, they also hide valuable metadata from enterprise network inspection tools,” according to Forrester Research’s senior analyst, David Homes. “As these changes gain momentum, security monitoring tools will be blinded to the contents and destination of traffic and unable to detect threats. The network will be darker than it’s ever been.”
Privacy activists have gone up against the government surveillance community advocating for encryption and have been working within the Internet Engineering Task Force (IETF) to provide countermeasures against eavesdropping and data collection, Holmes wrote. The latest version, TLS 1.3, and encryption of the domain name system are the results of their most recent efforts.
SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)
But these changes have stirred controversy, he said, because:
The financial services community has invested heavily in passive decryption, because regulation prohibits unencrypted data, even on their internal networks. The privacy activists engineered TLS 1.3 to require “forward secrecy,” making it incompatible with the security inspection architectures of large financial services.
TLS 1.3 encrypts server certificates, meaning security teams can no longer apply network policies that prevent users from visiting sites with unsafe certificates, including those that are expired, revoked, or self-signed.
DNS-over-HTTPS removes IT control. Privacy activists see the current domain name system as a significant privacy leak and have proposed encrypting DNS-over-HTTPS to fix it. Browsers and content delivery networks (CDNs) adopted it as quickly as they could, even over the protests of many detractors. One of the most vocal opponents, Holmes wrote, is Paul Vixie, the godfather of DNS.
The report stresses that security professionals should be aware of the coming changes. “Many security tools such as enterprise firewalls, secure web gateways, and cloud access security brokers (CASBs) block users from going to known-bad websites by examining three key pieces of metadata in the encrypted traffic,” Holmes wrote. Three metadata will be disappearing from network traffic soon: the user’s DNS request, the target’s SSL certificate, and the Server Name Indication SNI.
“Most Forrester security and risk clients are monitoring their users to protect them, not exploit them, and these changes make their lives more difficult,” the report said.
Call to action
Security and risk professionals can’t control browsers or the internet, but they’re still responsible for securing the environment, Holmes wrote. While the evolutions of TLS 1.3, encrypted domain name system (DNS), and encrypted server name indicator (SNI) are recent and right now the adoption rates are modest, security pros shouldn’t delay their preparations.
They have two years to put key capabilities in place, he said.
“As TLS 1.3 and DNS-over-HTTPS gain momentum, teams need to plan now to augment their inspection programs,” Holmes wrote. “Explicitly lay out a visibility upgrade program or piggyback it onto a larger effort like network modernization or digital transformation. Within the larger effort, incorporate tactical approaches to recapture network metadata and lost decryption capabilities.”
Only about one in four internet web properties currently offers TLS 1.3.7, Holmes wrote, citing Qualys Labs SSL Pulse data. “However, security pros should expect TLS 1.3 adoption outside of the megasites to increase by 10% per year.”
DNS-over-HTTPS is already supported by all major browsers and Microsoft’s Active Directory, Holmes said. Today, only Firefox enables it by default, and within two years, most modern browsers will as well, he said.
As TLS 1.3 and DNS-over-HTTPS become prevalent in the enterprise network and within public and private clouds, security professionals need to take several steps, including creating full-proxy inspection zones for inbound traffic, whether on-premises or in the cloud, Holmes wrote.
They must also augment their networking monitoring with machine learning applied to the network metadata that remains, Holmes said.
They must also take back control of DNS, which he termed “the redheaded stepchild of IT: Operations hates running it, security doesn’t want it, and the one person who understands it is probably retiring any day now.”
Organizations will have to deploy a hybrid system that captures domain requests over DNS-over-HTTPS with on-premises systems, he said.