What can go wrong with just Transport Level Encryption?

Transport Level Security only supports point-to-point encryption – when a message travels directly from the consumer to a Web Service without any intermediaries. It’s ideally suited when both – client IPs and the web service endpoints reside on the same intranet.

SSL interception

With SSL interception, you “ask” for an HTTPS connection to (for example) www.google.com, the company’s switch/router/proxy hands you a valid certificate naming www.google.com as the endpoint (so your browser doesn’t complain about a name mismatch), but instead of being countersigned by a mutually trusted third party, it is countersigned by a hacker’s own certificate authority (operating somewhere in the hacker’s company), which also happens to be trusted by your browser (since it’s in your trusted root CA list which the company has control over).

The company’s proxy then establishes a separate SSL-encrypted connection to your target site (in this example, www.google.com), but the proxy/switch/router in the middle is now capable of logging all of your traffic.

You still see a lock icon in your browser, since the traffic is encrypted up to your company’s inner SSL endpoint using their own certificate, and the traffic is re-encrypted from that endpoint to your final destination using the destination’s SSL certificate, but the man in the middle (the proxy/router/switch) can now log, redirect, or even tamper with all of your traffic.

Message Level Encryption

Since the entire message is secured in Message Level Security, intermediaries do not pose a problem. Even if the certificate interception mentioned above occurred, there would be no easy way to decrypt the traffic being logged in the proxy server.

    Message-level encryption would guarantee that the message remains encrypted, even during these intermediate “hops” where the traffic itself is decrypted.

Summary

For securing web services, true encryption should utilize encrypting the entire message, as opposed to relying on just transport level encryption (default SSL).

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin