Are you ready for HTTPS Everywhere?

The EFF, in collaboration with the Tor Project, launched the official 1.0 version of HTTPS Everywhere tool on Aug. 4, just past a year after the first beta version was released in June 2010. According to EFF's blog post, the extension will help secure Internet browsing by encrypting connections to more than 1,000 Web sites.

If you're an administrator of a Secure Web Gateway or web proxy, that statement alone should have you worried, or at the very least give you a momentary pause. The reason? While most organizations have deployed secure web gateways for HTTP traffic, very few have actually gone the additional step of turning on the SSL traffic for their external web traffic. The reasons are varied, but they include the overhead that encryption and decryption would have on the web proxy, the fact that most sites until recently, generally provide data and content unencrypted, and the privacy issues and concerns around inspecting SSL traffic.

But SSL is gaining traction, and most email providers and even Facebook offers options for keeping SSL turned on. This increases the likelihood that malware and other undesirable content can be brought down to the organization's network since SSL is likely bypassing the proxy.

What's the right solution? If you haven't already turned on your SSL proxy, investigate what it means to your network and your proxy if you do. Make sure your proxy can handle the additional load of SSL decryption and encryption. The easiest way to do this is to check to see if your proxy has an SSL hardware card, or the option to add one. Trying to do decryption and encryption in software will add additional load to what's probably an overloaded proxy to begin with, and in all likelihood could add latency to your web traffic, that's why hardware based SSL is the best bet.

Next set up policy so that you aren't violating your employees policy rights. That may include turning off SSL proxy for users in certain countries, and turning it off for certain categories (like banking). Run this past your HR and legal to be sure you're doing the right thing.

Once you've got those figured out, it's time to go live with the SSL proxy, and you'll be sure you're inspecting encrypted traffic for malware and undesirable content.