You are here: Gigamon > SSL Decryption with PVS

SSL Decryption with PVS

SSL Overview

If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), provide privacy and data integrity allowing secure transmission of sensitive information such as credit card numbers, social security numbers, and login credentials. SSL decryption uses keys to decode the traffic between the client and server so you are only going to be able to decrypt traffic if you have access to the private key used to encrypt it.

PVS and SSL Encrypted Traffic

As websites and services begin to default to encrypted connections, you can use a decryption appliance with PVSPassive Vulnerability Scanner to improve visibility to your network infrastructure by decrypting encrypted traffic and eliminating blind spots. The following image shows a typical PVS configuration in which encrypted traffic will not be detected:

In order for PVS to successfully detect threats and vulnerabilities within encrypted traffic, a decryption appliance must be employed which will decrypt the SSL traffic and enable PVS to successfully process these packets. The following image shows a PVS configuration using a decryption appliance:

Decryption Limitations

A decryption appliance will provide PVS the ability to successfully process encrypted traffic, however, additional technologies also exist that could still prevent PVS from being able to process packets from some sessions. The following are two of the most common ways that sessions are further secured that will prevent traffic from being able to be processed by PVS.

HTTP Strict Transport Security (HSTS)

HSTS is a web security policy mechanism which allows web servers to require clients to communicate via encrypted channels. HSTS is used in order to prevent SSL stripping attacks which convert a secure HTTPS connection into a plain HTTP connection.

HSTS Preloading and Public Key Pinning

When connecting to an HSTS host for the first time, the browser will not know whether or not to use a secure connection. Consequently, an attacker could prevent the browser from ever connecting securely. To mitigate this attack, browsers include a preloaded list of websites that want HSTS enforced by default, like Google, Dropbox, and Facebook, which can prevent detection by PVS. Also, browsers include a variation of certificate pinning using the HSTS mechanism. A preloaded set of public key hashes in the HSTS configuration limits the valid certificates to only those which indicate the specified public key.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.