In a recent presentation I saw, the speaker was talking about wire data and how it is becoming irrelevant in the new Software Defined Network (SDN) – and a couple of other acronyms that I can’t remember. He started talking about how you can now find malware even when it is encrypted with JA3 Hash and several other methods, which sounded cool. I was still not sure about all of this and wanted to read more about it. As with most cool new things, I assumed there were some caveats, and of course that the bad guys would read about this and figure out ways to circumvent it.

But what he said next made me really start thinking… His exact statement was, “decrypting data makes me feel dirty.” This struck me as odd. For some reason, I started thinking about marketing and how companies come up with terms or put a spin on things to win business by making buyers feel uncomfortable about doing certain things.

I once heard a story about Ford (not bashing them, I own one). Way back in the early days, they caught some bad press. Remember, there were no cars back then and people walked freely on the roads. When Ford began selling cars, pedestrians started getting hit. Then, the term “jaywalking” was coined to discourage people from walking in the streets and after a while, it caught on and fewer and fewer people were walking on the streets. Eventually, jaywalking was legally banned.

Back to the “decrypting data makes me feel dirty” statement – this starts to sound like a marketing ploy to me, but let’s look at it further. Are there other issues with decrypting wire data? Why would you want to and why would you not want to? If you’re decrypting the entire packet, I could see there being some concerns around Personally Identifiable Information (PII), PCI, and even companies’ proprietary property being exposed. But what if you could decrypt it, analyze it and pull the important stuff out like error codes, post and get timings, success and failed transaction information, plus so much more? And then have the decoded packet tossed, so that no PII is ever kept?

Here is a great example: You have a website that users log into. In most cases, developers do not use the normal 401 auth failure since most users would have no idea what that means. Most websites actually return a 200 with some syntax on the page (I.e. “Failed Login” or “Username and Password are Incorrect. Please try again.”). Well, if that was encrypted, I would never see that on the wire – and in the web logs, all you would see is 200, unless your developers wrote a special event for it (that rarely happens). Now, if I can decrypt that packet and watch for every page that has “Failed Login” or “Username and Password are Incorrect”, I can count the number of failed logins. This cannot be done with JA3, and it puts no load on your servers. Being able to inspect payload is crucial to being able to find what is happening in your environment. The idea of NOT decrypting data and thinking you will still have the same visibility to everything you need is misleading. With things changing daily, having the flexibility to decrypt wire data is key to successfully protecting your network, as well as providing performance information. So, if decrypting wire data is dirty, I guess I’ll have to go home and shower.