WAF is not SSL: Why you need both for proper website security

Written on 28 November, 2023 by John Galt

Many site owners believe that an SSL certificate is enough to make a website secure. However, simply having an SSL does not completely cover website security. An SSL helps encrypt data as it moves between visitors and web servers, but it does not provide comprehensive protection from hackers.

So, it is important to know that additional layers of protection are needed.

While often confused with SSLs, web application firewalls are an effective complement to guarding your site against a variety of threats. In this post, we will explain the differences between WAF and SSL and why you need both for a truly secure website.

Understanding SSL certificates

Secure sockets layer (SSL) is the web security standard for data encryption. It establishes an encrypted connection between a web server that serves requests and the end user’s web browser.

HTTP traffic encrypted by an SSL is known as HTTPS.

Users have come to expect this secure HTTPS communication channel when visiting websites. They can quickly verify that a site is SSL encrypted by checking for a lock icon next to the URL in a web browser:

Web authorities like Google even flag sites that lack such encryption as “not secure” to discourage users from proceeding.

SSL works using three protocols:

  1. The Handshake Protocol
  2. The Record Protocol
  3. The Alert Protocol

With the SSL Handshake, the client authenticates the server. The Record Protocol encrypts the data once the handshake is complete, and the Alert Protocol scans for questionable data packets.

The encrypted tunnels created by an SSL help prevent “man-in-the-middle” attacks when someone watches traffic between client and server. As such, they are absolutely essential for ensuring the secure transmission of sensitive information such as login credentials, credit card details, and other personal information.

Without an SSL, data sent between browsers and servers are sent in plain text. Needless to say, this is a massive vulnerability. If someone were to intercept the data they would be able to see and use the sensitive information.

All web browsers have the ability to interact with websites using the SSL protocol. But to do so, your web server needs an SSL certificate.

Understanding WAF

Web application firewalls (WAF) monitor, filter, or block data packets as they travel between web applications. They can be network-based, host-based or cloud-based. A WAF usually works as a reverse proxy placed in front of the origin server.

It doesn’t replace the network firewall and typically implemented between the network firewall and the server.

A WAF inspects every data packet and uses rules-based logic to filter out potentially harmful traffic. This prevents application-layer vulnerabilities such as SQL injection, cross-site scripting (XSS), and web shell attacks. To provide the best protection, the WAF needs to be able to analyze both HTTPS and HTTP traffic.

Most sites typically use a combination of web application firewalls and load balancers to protect communication within and between their applications. With this approach, numerous machine-to-machine connections must work together while still ensuring a functional application to the end-user.

This becomes more challenging as many of today’s sites use a distributed system of backend applications. Site owners need more than simply protect the edge with WAF and load balancers. They must also work to secure the inter-service communications between the various applications.

WAF & SSL working togehter

While SSLs protect the transportation of information, hackers can target the vulnerabilities in a Web application to attempt to inject malicious code that is not detected by the SSL. To prevent the execution of these malicious scripts or payloads, a web application firewall is required.

The WAF rapidly scans a database of know threats in attempt to detect malicious activities such as SQL injection level. This happens at the application level so the WAF needs to see the SSL traffic that happened client side.

There are two ways for the WAF to see the SSL encrypted traffic. The first is for the WAF to have a copy of the private key to decrepit the data as it flows.

The other is for the WAF to have its own SSL server. In this case, the WAF’s SSL is responsible for encrypted data that the client ultimately sees.

By using a WAF and an SSL allows you to protect both your web servers and your end user’s sensitive information.