21. June 2010 · Comments Off on HTTPS Everywhere – Will it increase risk? · Categories: Malware, Palo Alto Networks, Security-Compliance

The Electronic Frontier Foundation (EFF), in conjunction with The Tor Project, has announced a new Firefox plug-in called HTTPS Everywhere, which will automatically provide encrypted SSL sessions to major web sites that support HTTPS. Obviously, this is an effort to improve browsing privacy, but is it also increasing risks to those users? The answer could be yes.

If you are a road-warrior and use HTTPS Everywhere from your hotel room, I would agree that you are reducing the likelihood of a third party sniffing your traffic. However, HTTPS will increase risk for corporations whose firewalls or intrusion prevention systems do not have the ability to decrypt SSL. For example, one of the default sites encrypted by HTTPS Everywhere is Facebook. If you have policies that allow certain employees to use certain features of Facebook for marketing/sales purposes, you surely want to monitor that traffic for threats. Given the amount of malware on Facebook, an employee could inadvertently go to a page that downloads a trojan onto the employee’s workstation. If your firewall or IPS cannot decrypt SSL then it will not be able to detect the malware.