Feb 11, 2011

Facebook Rolls Out HTTPS: What It Means for Enterprises and Equipment Manufacturers

by Scott Register

By Scott Register

In a recent show of support for privacy and security concerns, Facebook made the somewhat surprising move to offer customers the option to encrypt all of their communication via Hypertext Transfer Protocol Secure (HTTPS). Previously, this option was only available for authentication — and even that feature was fairly new. The introduction of the HTTPS option is of great benefit to users, who now have more control over who gets to read their breathless yammerings about drinking games, weather updates, and groping around in the dark.

But more to the point, as social networking encroaches further upon the real world, security continues to grow more important. For one thing, hiring organizations frequently comb through a candidate’s social networking history to search for trouble signs, which means that malicious or false postings can have a detrimental impact on one’s career. Besides that, if real money is used to pay for virtual goods in games played on Facebook, one certainly wants credit card transactions adequately secured.

Impacts on Business

So this development is good for Facebook users, but it has repercussions for other audiences as well — especially the companies that employ Facebook’s millions of users and the network equipment manufacturers who supply those companies with IT security devices. Faced with potential intellectual property loss or Acceptable Use Policy violations, many organizations choose to allow their employees to access social networking sites such as Facebook, but monitor or restrict their activities. (A company might allow reading news feeds, for instance, but block uploads, since those could contain sensitive company data.)

In addition, social networking sites and other sites which allow user-generated content are prime distribution points for drive-by malware, so corporate IT staff will naturally want to inspect inbound traffic to keep malware out. When that traffic is encrypted — as it is in HTTPS — the enterprise faces a new set of challenges.

For employers, this means deploying gear that can decrypt, inspect, and then re-encrypt the Secure Socket Layer (SSL) connections that HTTPS uses. In some cases, this will mean engaging a previously unused feature in their current equipment. But SSL processing places a significant demand on deep packet inspection (DPI) equipment such as data loss prevention (DLP) systems, especially if they have to perform both decryption and re-encryption of every message that passes either way. Many enterprises will find that the DPI device they procured six months ago suddenly will not perform at their desired rate, leaving them with unenviable options: upgrading their gear, allowing Facebook traffic to pass uninspected, or blocking Facebook traffic entirely. And while the last option may seem the easy choice, many companies are finding that social media is a valid marketing channel, so cutting off access will have a negative business impact. Certainly, before turning on SSL inspection, an IT security manager will need to understand both the capabilities of their DPI device and its impacts on throughput, latency, and stability.

For the manufacturers of DPI devices, Facebook’s HTTPS move presents both an opportunity and a challenge. Many customers will need to upgrade their security gear, and the equipment makers with better SSL capabilities will be better positioned to meet that surge of customer demand. On the flipside, many of those manufacturers will not have had their SSL inspection capabilities put to broad use in the past, and may not even have a realistic understanding of the performance of their own devices. Sure, they’ll know how well a device performs under ideal lab conditions, when it’s handling trivial ciphers and long connections of big packets. These are, in most cases, the conditions used to produce the numbers you’ll find on manufacturers’ data sheets. But the vendors may never have validated their equipment against the cipher strengths and traffic patterns they’ll encounter when processing Facebook traffic.

Where We Come In

Many companies don’t even have that kind of validation capability — unless, of course, they’re using a BreakingPoint CTM. Our products offer a full Facebook implementation [PDF link] that can present realistic traffic in either two-armed mode (where we model both the users and the Facebook servers they interact with) or one-armed mode (where we model the clients but connect to the real Facebook servers). BreakingPoint’s Facebook support includes features such as authentication, status updates, chat message send/receive, news feeds, and even creation of photo albums and photo uploads. The BreakingPoint FireStorm CTM, which we just announced this week, can also produce SSL bulk encryption at up to 38 Gbps, which is enough to put even the fastest DPI devices through a tough workout.

Our new Markov Text Generation capability also makes it easy to generate highly realistic messages. In fact, an IT administrator can supply messages from their own users, and the Markov generator will use that as the input to generate new messages. Put all these features together, and you have everything you need to create very accurate simulations of how Facebook HTTPS will act as it traverses your infrastructure and flows through your DPI devices.

If they’re armed with BreakingPoint, enterprises and equipment manufacturers can approach the challenge of social media encryption with complete confidence. If not, well, they’re just groping around in the dark.

Related posts:

Tags: