Why organizations should consider HTTPS inspection to find encrypted malware


Some 67% of all malware seen in the first quarter was delivered via HTTPS, according to security firm WatchGuard Technologies.

Image: nicescene, iStockphoto

HTTPS was designed to secure web traffic by encrypting communications and thus prevent man-in-the-middle attacks and other types of eavesdropping. But HTTPS can hide malicious traffic directed toward an organization since a secure gateway by itself won’t inspect encrypted content. 

HTTPS inspection is a process by which you can analyze the encrypted web traffic and content, though some organizations shy away from this technique as it can do more harm than good if not implemented properly. A report released Wednesday by WatchGuard Technologies explains why HTTPS inspection can help in your security analysis.

SEE: Encryption: A guide for business leaders (free PDF) 

In its Internet Security Report for Q1 2020, WatchGuard reported that 67% of all malware last quarter was delivered via HTTPS. Since more websites now use HTTPS for encrypted connections, many WatchGuard customers have enabled HTTPS inspection, which looks for malicious content by decrypting traffic at the gateway. Though signature-based security products can combat known threats, they’re unable to block much of the malware that can get through unless combined with the inspection of encrypted traffic.

Setting up HTTPS inspection can be tricky as it does require some extra effort. And if not configured correctly, this process can actually weaken the end-to-end encryption and protection provided by security gateways and products.

“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” Corey Nachreiner, chief technology officer at WatchGuard, said in a press release. “As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

A report from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) offers some recommendations on HTTPS inspection.

“Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client,” CISA said. “A partial list of products that may be affected is available at The Risks of SSL Inspection. Organizations may use badssl.com as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography. At a minimum, if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

“In general, organizations considering the use of HTTPS inspection should carefully consider the pros and cons of such products before implementing,” CISA added. “Organizations should also take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A.”

To bolster your overall security defenses, WatchGuard also offers the following advice:

  • TLS inspection Is a necessity. Only inspecting unencrypted traffic doesn’t cut it anymore. If you don’t inspect TLS encrypted traffic, you will only catch a third of the malware coming into your network. Configure your network perimeter to inspect encrypted traffic in a secure way with the use of trusted certificates. While it is a bit of extra work, once completed, the firewall will have visibility into the other two-thirds of malware you’d miss otherwise.
  • Use a layered defense. Using an outdated single layer of defense on your network perimeter is not enough to block most attacks. No antivirus product can protect you from every malware variant but a layered defense consisting not only of signature-based security but also machine learning, malware sandboxing, and education of the end user can increase your chances against the current threat landscape significantly. In addition, we recommend endpoint detection on individual computers for protection against malware that bypasses the perimeter, such as variants spread through USB drives or smartphones.
  • Block Command and Control (C2C) channels and malicious sites. Ransomware and other malware increasingly spread through compromised sites and name squatting, where the name of the malicious site looks like the name of a popular real site. Network security services need a real-time guard to prevent botnets from accessing Command and Control domains as well as prevent users from visiting phishing sites. Any endpoint detection should also include protection against ransomware by not only blocking the malware but also blocking any actions the ransomware takes against business-critical data. Leverage security services that block these sorts of sites via DNS or normal HTTP queries.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see