Unmonitored HTTPS is a security threat

The HTTPS protocol that all internet users use can be recognised by the https:// prefix in the URL.  Many users use HTTPS to do internet banking since it is a secure protection against eavesdropping and right here starts the misconception of the safety of the HTTPS protocol.  HTTPS uses encryption and only protects against eavesdropping.  Internet banking using HTTPS was already successfully targeted by hackers and viruses.

Encryption is a useful feature for internet banking and at the same time a nice feature for hackers, thieves, VPNs, proxy tunnels and computer viruses because the encrypted HTTPS protocol is the ideal mechanism to connect to servers on the internet since it is encrypted and not monitored by antivirus software nor an other inspection mechanism. Almost all corporate firewalls allow HTTPS traffic without monitoring or filtering and therefore HTTPS is beyond any doubt a security threat that needs to be addressed properly.

HTTPS was originally HTTP with a TLS/SSL encryption layer and uses port 443.  Web proxies are commonly configured to simply pass all traffic on port 443 assuming that the traffic is encrypted HTTP.  But the reality is different and many applications use the 'pass without further inspection' property of web proxies to use different protocols on port 443.  These protocols on port 443 are used for chat, video playback, Skype, Teamviewer, SSH tunnels, VPNs, browsers like UC and Silk, virusses, and anything else.

It is not possible to explain the security threat well without going into technical details.  For those who do not understand the technical details, we suggest to go to Google and to search for "punching holes into firewalls" and to look at the overwhelming list of search results and all details that are provided to circumvent the most advanced corporate firewall.  The technical audience can search for "tunneling SSH over HTTPS".

Proxy tunnels are an easy way to open a gateway from a protected/firewalled LAN to any computer system in the world and the software to do this is accessible with a simple search on Google.  The tunnel can even be configured to be bi-directional: from a designated computer system outside the protected LAN communication to any computer system on the protected LAN can be initiated !!  Various types of proxy tunnels are known to exist and one of the easiest to use is a SSH tunnel. 

SSH is short for "secure shell" where secure only means protected against eavesdropping and implements a pseudo "security" for communication (shell, ftp, X Windows, and any other TCP based application) between computers.  One of the basic features of SSH is bi-directional port tunneling.  The bi-directional port tunneling feature is a true nightmare for security officers where firewalls have no knowledge of what is done inside a SSH session and new connections over an existing tunnel can be made from outside a corporate LAN to inside the corporate LAN.

ufdbGuard makes an end to the nightmare of security officers and can block SSH tunnels.  It also blocks proxy tunnels and blocks access to sites that use HTTPS without proper SSL certificates and/or sites addressed by an (anonymous) IP address.

ufdbGuard respects privacy of users and never decrypts HTTPS traffic.
ufdbGuard dynamically probes HTTPS sites and selectively blocks HTTPS traffic by

  • optionally block sites which do not speak SSL+HTTP (e.g. SSH tunnels)
  • optionally block known tunneling applications
  • optionally block sites without a properly signed SSL certificate
  • optionally block sites with a weak SSL encryption
  • optionally block sites with an IP address in the URL
  • optionally block sites which uses HTTPS ports for chat applications