The SSL (Secure Sockets Layer) protocol is a popular Internet protocol for allowing a client computer to engage in secure communications with a server computer. For example, using the SSL protocol, a user may divulge his credit card number to a merchant's Website secure in the knowledge that all communications with the Website are encrypted. However, the SSL protocol provides that encrypted communications must pass straight through the enterprise firewall unexamined. This is because the SSL protocol requires end-to-end encryption (from server to browser). This can be dangerous, as it means that data can be stolen or malicious computer code tunneled through the firewall impervious to examination by security scanning software associated with the firewall.
Enterprises are reluctant to deal with this problem, because there are so many useful Websites that require SSL in order to operate properly, e.g., sites performing credit card transactions. Attempts to provide whitelists of allowable SSL Websites anger internal users and create a high administrative burden for security administrators.
As firewalls are configured to block traffic more strictly on ports known to be used by Remote Access Trojans (RATs) or suspicious traffic in general, attackers are increasingly tunneling return traffic from a compromised computer to the attacker's network using SSL. Tunneling using SSL allows a compromised host computer to communicate through the enterprise firewall, and the strong encryption provided by SSL prevents security software from examining and recognizing the dangerous contents of that traffic.
One solution to this problem is known as “SSL stripping”. In this patent application, including claims, “SSL stripping” means that a proxy associated with the firewall is configured to conduct a type of intentional man-in-the-middle attack on SSL traffic. The client computers within the enterprise network are configured to trust an enterprise signing key, and the proxy uses said enterprise signing key to spoof an arbitrary Website outside the confines of the enterprise network, thus enabling the proxy to decrypt and then carefully examine the SSL traffic. SSL stripping is powerful but is not appropriate in all circumstances, because of its increased overhead and for other reasons.
What is needed is a way to determine when SSL stripping is appropriate and when it is not appropriate. The present invention solves this problem.