Encrypted Traffic Dominates

The other day I was trying investigate a problem - Cisco Umbrella was reporting an important work-related site (www.cyber-abc.com) as malicious. It turns out it was a false positive by Cisco. 😡

As part of my investigation I broke out an old tool of mine, SimpleSniffer. While using it, I was reminded how much network traffic is encrypted - pretty much everything these days. Here is a partial screen grab of a Terminal window running SimpleSniffer. It shows the destination IP, destination port, and destination host names (captured via DNS analysis). Look at all that 443 traffic. (click on image to blow it up):

Running SimpleSniffer in a Terminal window - focused on destination (click to zoom in)

If you are curious, below is a full view of the Terminal window. The left column shows the application that generated the network traffic - a neat little Easter Egg Apple throws into its tcpdump data. Each line only shows the first connection to the destination, so the view provides a nice summary of all the different destinations your computer is visiting.

Larger view of SimpleSniffer (click to zoom in)

Most of the traffic is generated by WebKit, which is used by a number of applications to download and display HTML content from the Internet.

Out of curiosity I rebooted my Mac, logged in and only started the Terminal app in order to run SimpleSniffer. Below is a screenshot of the various applications generating network traffic behind the scenes. Your computer is often doing a lot of things on the network that you probably have no idea about.

Behind the scenes network chatter (click to zoom in)

One final observation/question: Why is an application called “trustd” pretty much the only application using unencrypted HTTP (port 80) network connections?