RedSocks Security on HTTPS in 2017

RedSocks Security on HTTPS in 2017

Malware, on average stays hidden for 187 days. Now with the increased use of HTTPS, the chances are that the number of days will increase, meaning that it’ll take even longer before malware is detected.

HTTPS provides encryption. It should ensure that network data being transferred is encrypted and therefore not readable by third-parties. This advantage has attracted the attention of cybercriminals and malicious insiders since this advantage allows them to increase their survival rate in an targeted environment – since they can also use HTTPS to encrypt their activities.


What is HTTPS?

HTTPS (also called HTTP over TLS, HTTP over SSL and HTTP Secure) is a protocol for secure communication via a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation behind HTTPS is authentication of a website and protection of privacy and integrity of the data exchanged.


Increasing global use of HTTPS

Companies are slowly becoming more aware of the fact that cyber security should be mandatory within the company agenda. This change in awareness within companies world wide has resulted in an increase of HTTPS usage, but next to awareness, there are also legal issues that get covered when the use of HTTPS is implemented within the company infrastructure.


HTTPS means higher search engine ranking

Another aspect is the fact that Google and other search engines will provide an higher ranking when sites use HTTPS.


Concerns from Google, Mozilla and Cloudflare

The web giants Google, Mozilla and Cloudflare have expressed their concerns regarding HTTPS interception by anti virus companies. The giants claim that by intercepting HTTPS traffic, the anti-virus companies are downgrading the security level of these network connections. The research performed by Google, Mozilla, Cloudflare and two universities concluded that anti-virus companies use weak crypto algorithms, which in turn allows for the possibility of man-in-the-middle attacks.


Man-In-The-Middle Attacks

A man-in-the-middle attack (often abbreviated mitm or MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.


Malicious use of HTTPS

The cybercrime ecosystem is well-aware that there are many advantages when HTTPS is implemented in their malicious campaigns. We at RedSocks Security, noticed that there has been an increase in the use of HTTPS by cybercriminals and threat actors operating in malicious advertisements.

RedSocks Security on HTTPS in 2017

Another advantage being exploited by cybercriminals is the usage of HTTPS certificates to lure and keep potential victims on fake websites. For example, a hacker can set up a fake banking site with an HTTPS certificate, making it more difficult for the targeted user to notice that they are on a malicious site.

Cybercriminals are also aware of the fact that various security solutions are having difficulties with HTTPS. According to research by Gartner, only 20% of the companies have the capability of stripping HTTPS connections, which leaves 80% as a (more likely) potential target for cybercriminals.

The use of HTTPS for data exfiltration is another advantage being used by cybercriminals. Threat actors and cybercriminals use legitimate services as filestorage environments. Environments such as DropBox that support HTTPS are becoming increasingly popular among these criminals as it’s more difficult for security solutions to distinguish between legitimate and malicious traffic entering and leaving those environments.

Another reason for the increase in HTTPS usage, is the fact that companies are providing HTTPS certificates fully automated and free of charge. A perfect example of this is the service.


What is LetsEncrypt?

Let’s Encrypt is a free, automated and open certificate authority (CA) run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).


Certificate Authorities (CA)

Certificate Authorities are entities that issue digital certificates, and currently there are >650 operational certificate authorities. This means that cybercriminals can attempt to obtain a digital certificate from one of those 650 authorities, and once they’ve done so are able to use the certificate in their malware campaigns.

Badly configured or simply vulnerable?

Over the last couple of years, the world has witnessed various attacks on HTTPS and we’ve noted down a few of these attacks:

  • Browser Exploit Against HTTPS/TLS Attack (BEAST)
  • HTTPS Renegotiation attack
  • POODLE attack
  • Heartbleed

The Heartbleed attack for example, made it possible for threat actors to eavesdrop on communications, allowing them to steal data from services and users.

RedSocks Security on HTTPS in 2017

RedSocks MIT’s Conclusion

There is no way to deny that the increase in HTTPS usage is going to bring some challenges along with it, challenges which we at RedSocks Security foresaw.

One of the main challenges that RedSocks Security is able to tackle is detecting malicious connections making use of HTTPS. We believe that we don’t need to look inside the data package, the behavior alone of a HTTPS connection is sufficient enough to distinguish between legitimate and malicious HTTPS traffic.


RedSocks Security’s Predictions for 2017:

  • Cybercriminals will (automatically) implement HTTPS in their malware.
  • The number of days that malware can stay hidden in an environment will increase.
  • Metadata behavior analysis is going to be key (looking at the sizes of packets, lifetime, etc.)
  • Increased use of free HTTPS certificate providers.
  • Increased use of HTTPS blocklists.
  • Increased number of companies that support HTTPS stripping
  • Legitimate websites using HTTPS will become more attractive for cybercriminals as HTTPS allows cybercriminals to hide their C&C communication.

In any case, Security Officers should continue to perform vulnerability assessments of their (HTTPS) infrastructure and take the appropriate actions when malicious activity takes place or is suspected.


If you would like more information about malicious threat detection or post-incident response, don’t hesitate to reach out to the RedSocks Malware Intelligence Team at:


Back to overview