Security news that informs and inspires

Internet Standards Emphasize User Privacy At Expense of Enterprise Security


New Internet technologies bring more privacy to the network, but they have the side effect of breaking security in enterprise networks.

At RSA Conference last week, Internet pioneer Paul Vixie warned security professionals that traditional enterprise security efforts such as traffic inspection and DNS filtering will not be possible under new Internet standards emphasizing user privacy. Standards such as DNS over HTTPS, Transport Layer Security 1.3 Encrypted Server Name Indication (TLS 1.3 ESNI), and HTTP/3 over QUIC Internet transport protocol protect traffic in a way that it’s not possible to monitor what sites users are accessing, let alone what content is being sent and received, said Vixie, chairman, CEO, and co-founder of Farsight Security. This leaves enterprise defenders “network blind.”

“A lot of CEOs have no idea this is coming and are not planning for it, budgeting for it, or trying to figure out exactly what they're going to do once they go dark and can't see what their own users are doing,” Vixie said.

The web technical community has been moving to “make everything the web does completely user-centric,” especially as a response to the disclosures by former NSA contractor Edward Snowden, Vixie said. Applications and services are taking on the tasks the operating system used to handle. For example, mobile security apps and firewalls on the WiFi network cannot tell if a user on a voice-over-IP app is making a phone call. Making a phone call sounds benign, but if the corporate security policy does not allow calls to a specific number in a certain country, no alarms will go off because there is no way to detect that the call was made. The user can get around the corporate security policy and the organization loses the audit capability.

“People who don’t want certain traffic to go through are looking for that traffic to block it,” Vixie said. “People who do want that traffic are changing the nature of the traffic to make it undetectable, and therefore unstoppable.”

Privacy by Design

Network operators have been losing visibility over their networks for a quite some time, said Stephen Ludin, chief architect at Akamai. The current movement, spurred by concerns about nation-state surveillance and desire for user privacy, emphasizes privacy over control for the Internet by default. Protocols such as HTTP/2, HTTP/3, and TLS 1.3 are all moving towards that trend.

"Nobody is really aware of this. When I talk to a roomful of CISOs, their eyes get wide." ~ Paul Vixie.

HTTP/2 was developed primarily as a performance boost, but the browser makers decided to support HTTP/2 only over TLS. In the HTTP/3 specification, clear—unencrypted traffic—doesn’t exist as a concept, Ludin said. Some enterprise activities, such as the way vulnerability scans are performed and browser plugins that block unwanted websites, will not work the way they used to, but the upside is there will be “unparalleled privacy,” Ludin said.

“Our tool and approaches need to change to adapt to the changing times. Necessity is the mother of invention. New tools will emerge,” Ludin said.

While several major browsers have adopted DNS over HTTPS by default, widespread use of TLS 1.3 ESNI is still some ways out. Rollout for HTTP/3 is also in early stages, as HTTP/3 is used by less than 5 percent of all websites. Its precursor, HTTP/2, is used by 43.7 percent of all websites. However, the largest networks in the world—Google, YouTube, Wikipedia, Yahoo, and Amazon (as well as five major Chinese brands)—have already rolled out HTTP/3 on their sites, which accounts for a significant portion of sites users access regularly.

Adapting to Change

With HTTP/3 over QUIC, the firewall no longer sees the data leaving and entering the network. All the things CSOs rely on to protect enterprise networks become harder to use because they can’t see the traffic, let alone filter or block traffic. These changes pose challenges for regulated industries such as financial services where the organizations have to archive all incoming and outgoing communications for compliance purposes. They still need those middleboxes, but their effectiveness will decline as these technologies become more widespread.

Vixie suggested turning off QUIC on corporate devices by default so that enterprises can keep inspecting traffic. There is a downside, as it means the enterprise will miss out on the performance benefits that HTTP/3 brings.

Defenders still have the option of installing a root certificate on corporate devices in order to intercept HTTPS/TLS traffic inside their networks, Ludin said. This kind of man-in-the-middle for HTTP/3 is still possible because the specification did not change how the traffic is handled “in any substantial way,” Ludin said.

TLS 1.3 ESNI encryption protocol prevents upstream providers such as internet service providers from seeing what sites users are accessing. Firewalls sit in between the connection and passively observe what is going in and out of the network, and act if there is a policy to block or allow certain types of traffic. ESNI will break next-generation firewalls because it will not be possible to transparently intercept outbound traffic, Vixie said. For many organizations, this could make it difficult to enforce bring-your-own-device policies or run afoul of their regulatory obligations.

One way to address this scenario is to set up an explicit proxy and force browsers and operating systems to use the proxy, Vixie said. The challenge is that not every device can be set up that way—especially Internet of Things.

"Nobody is really aware of this. When I talk to a roomful of CISOs, their eyes get wide," Vixie said.

DNS over HTTPS, where all Domain Name System queries pass through encrypted sessions so they can’t be intercepted, prevents man-in-the-middle attacks that can manipulate DNS lookups, but it also blocks the enterprise’s ability to detect malware by blocking lookups to malicious command-and-control servers or prevent users from accessing prohibited content. Already the default in Chrome and Firefox, DNS over HTTPS puts the application (or service) in charge of deciding which name resolver to use. It doesn’t matter what the security policy is regarding what sites are accessible and what sites are blocked, because the application bypasses the corporate DNS entirely. In the case of Firefox, all DNS queries are automatically being sent to Cloudflare.

On one hand, DNS over HTTPS prevents man-in-the-middle attacks against DNS, but it also blocks the ability for security tools to spot malware by blocking lookups to malicious common-and-control-servers.

“If your corporate endpoint security policy requires certain things to not be possible, you won’t be able to enforce that policy,” Vixie said.

Mozilla offers IT teams the option to turn this off enterprise-wide, so defenders who cannot have DNS traffic bypassing enterprise DNS should take advantage of this setting.

Working With Privacy

There hasn’t been a lot of discussion about how these new standards would interfere with existing regulatory and legal activities because that is not the primary focus of the stakeholders, Vixie said. The Internet Engineering Task Force is dominated by representatives from browser-makers, web companies, and web services. The organizations who really want to use the firewall to protect the endpoints are “not in the room.”

The difficulty arises from the fact that the activities that make enterprise security possible, such as filtering, monitoring, and packet inspection, is indistinguishable from what a nation-state actor would do. Unfortunately, there is really no technical way to allow some people to perform a certain activity and not others.

“None of the people in the web technical community cares about the enterprise at all,” Vixie said. “They got nothing against us. They wish they could get done what they really want, to do without it impacting us in this way, but they can't.”

Just because maintaining security is going to be difficult doesn’t mean there is nothing defenders can do as these new standards become more widespread, Ludin said. “Organizations can adapt, and find ways to get [security] things done.”