Security professionals need to act fast and put solutions in place before the TLS 1.3 and DNS-over-HTTPS (DoH) are implemented – suggests Forrester Research.
The transport layer security (TLS) and domain name system (DNS) – two primary protocols of the web have undergone radical changes lately. The modifications have been implemented to protect browser user privacy in an enterprise environment.
Concurrently, the changes will brush off security on-premises in the next few years. As a result, the security professionals must act on it, putting security tools in place. Or else, they will not be able to detect cyber threats and analyze network traffic. These findings came up from the latest study by Forrester Research.
As mentioned by David Homes, Senior Research Analyst at Forrester Research in the company blog post – “While [the protocols] hide user activity from the searching eyes of nation-states and ISPs, they also hide valuable metadata from enterprise network inspection tools…Within the larger effort, incorporate tactical approaches to recapture network metadata and lost decryption capabilities.”
DoH and TLS 1.3 are the only outcomes of the long conflict between the privacy activists and the government surveillance community. These recent privacy changes signify the result of the efforts – where all the browser data and metadata will be encrypted.
The changes have already fueled controversy, primary because –
- Financial services brands have invested in passive decryption, as the regulation prohibits unencrypted data. This is valid on their internal networks, and TLS 1.3 will make it incompatible with the security inspection architectures.
- TLS 1.3 encrypts the server certificates – security teams can’t control browsers or apply network policies that stop users from browsing unsafe websites.
- DNS-over-HTTPS eliminates IT control. The privacy activists consider the current domain name system as a critical privacy leak. Thus they have proposed encrypting the DNS-over-HTTPS and fix it.
However, Forrester noted that security professionals can still secure the network environment. The evolutions of the encrypted domain name system, encrypted server name indicator (SNI), and TLS 1.3 – are new, and the adoption rates are currently modest. Therefore, security and risk teams should not delay their measures.
The security and risk clients of Forrester are closely monitoring their users for protecting them. David Homes also cited, “As these changes gain momentum, security monitoring tools will be blinded to the contents and destination of traffic and unable to detect threats. The network will be darker than it’s ever been.”