We’re here to help if you’ve been wondering what the terms “SSL inspection,” “TLS inspection,” “SSL interception,” or “HTTPS inspection” mean. We will delve deeper into these concepts in this article.
Most of our communications now take place over a secure HTTPS connection, with Google’s effort to push for encrypted web traffic. Installing an SSL/TLS certificate is a definitive step towards enhancing website security, because encrypting your traffic protects your data from being stolen or manipulated.
However, to distribute malware and steal confidential data from corporate networks, bad actors can leverage these encrypted connections. SSL inspection mitigates such risks and provides your website and users with an additional layer of security.
What Is SSL Inspection? How Does It Work?
In short, SSL inspection (HTTPS inspection, TLS inspection) is a way of identifying malicious activity via encrypted channels of communication. SSL inspection works like an authorised man-in-the-middle (MitM) attack, where it decrypts and examines the encrypted traffic between the client and the server.
Of course, this may make you ask, “Doesn’t that defeat the purpose of encrypting the information to avoid eavesdropping and tampering?” And you wouldn’t have been wrong in some ways, and the whole process might even seem counterintuitive. But since most hackers use encrypted channels to spread the malware, apart from investigating the traffic flowing between the servers and browsers, it doesn’t leave us with much choice.
In encrypted traffic, many security instruments can not detect malware and thus pass through unnoticed. Because all traffic can be inspected by SSL inspection, this means that it can be used on both inbound and outbound traffic.
What Are SSL Inspection Tools?
For SSL inspection appliances, there are distinct terms that people use. An interception device, often called a middlebox, for instance, decrypts and analyses the traffic and filters out any malicious content.
In a traditional corporate network, you may have
- Next-generation firewalls,
- suspicious traffic monitoring and analysis network sandboxes,
- intrusion detection systems/intrusion penetration systems (IDS/IPS),
- Solutions for data loss prevention (DLP),
- web gateways, etc.
When you deploy SSL inspection software, the traffic is intercepted and the content is scanned after decryption. It can also forward the content in parallel to an IDS/IPS, DLP, etc. The traffic is re-encrypted and forwarded to its destination after getting the results.
At every level, the traffic is decrypted and re-encrypted, and the traffic passes through a device that handles HTTPS/TLS inspection.
In turn, an SSL inspection device can decide whether to run the unencrypted traffic via a DLP, firewall, etc., and can send it to various software to filter the traffic in parallel to minimise latency. Because if incoming or outgoing traffic is decrypted, inspected, re-encrypted, and then forwarded to each layer, multiple single failure points, impact performance, latency increase, and ultimately inelegant design accounts may be introduced.
What Are the Advantages of Enabling HTTPS Inspection?
You may well be able to outline the advantages of using an SSL inspection appliance on your network now that we understand how TLS inspection works. Let’s take a look at some of the advantages of HTTPS traffic inspection. It provides you with the capacity to:
- Detect and block malicious requests to prevent a possible DDoS attack. Gain greater visibility of malicious users and IP addresses
- Monitor the traffic that flows from your network
- Have the right instruments in place to implement any solutions for artificial intelligence (AI) or machine learning (ML) in your environment (which shed light on traffic patterns).
What Are the Disadvantages of Performing a TLS Inspection?
Two individual SSL connections are established between the server and the interception device, and between the interception appliance and the client browser, instead of a continuous connection between the client and the server. Unless the implementation is done correctly, this interruption may impact efficiency and introduce security concerns of its own:
- Using previous, obsolete cryptographic standards for traffic decryption and re-encryption can significantly decrease the strength of encryption and jeopardise the overall security of data.
- Based on the advisory warning issued by the US-CERT group of the US Department of Homeland Security, middleboxes performing HTTPS inspection often do not accurately verify certificate chains before forwarding traffic, resulting in weakening the overall security advantages of TLS encryption.
- A study by cryptography experts from several prominent organisations who analysed 12 popular network middleboxes shows that only one (Symantec-owned Blue Coat ProxySG 6642) maintained security and mirrored the capabilities of the client browser. The remainder were discovered suboptimal, susceptible to known attacks, or severely broken. The study also examined anti-virus software that runs on consumer computers. Out of almost 8 billion SSL/TLS handshakes that were analysed, 10.9% of them were intercepted, according to the data.
- 62% of the traffic that passed through middleboxes had decreased security, and 58% of the traffic showed vulnerabilities that could later be exploited (either because of susceptibility to known attacks or due to the introduction of severe security weaknesses).
How SSL Offloading Helps in SSL Inspection?
Your web server’s primary role is to support the websites and other associated material that the client browser has requested. Being wrapped up with SSL-related functionalities for your server is resource-intensive and places a burden on it, which affects the performance of your website. In the SSL inspection process, this is where offloading will aid.
In order to take the burden off your application server, Offloading SSL utilises a load balancer function. There are two ways this can be achieved:
- In this process, an incoming request from a client browser connects to an HTTPS connection via an SSL terminator (also known as an SSL load balancer or a proxy server). The relation between this edge device and the server is, however, unencrypted (i.e., over HTTP). Because the traffic between the server and the terminator flows in plaintext, if you have an attacker within the network, it makes the data vulnerable to security breaches.
- SSL Bridging-The traffic between the edge device and the server flows over an HTTPS connection after the edge device re-encrypts it with SSL bridging.
Where DPI SSL Fits into the Equation
DPI SSL is another concept that’s sometimes tossed around in debates around SSL inspection or HTTPS inspection. So, what is SSL with DPI? This means a deep packet analysis of SSL encrypted traffic (typically done by a firewall). Until deciding whether to block the traffic or re-encrypt and forward it to its destination, this method includes decrypting and evaluating data. All you need to do is receive a DPI SSL firewall SSL/TLS certificate that is trusted by both the client browsers and the server on both sides.
In situations where someone wants to get through content filtering by going through a proxy site, it is also helpful. For a company that wishes to restrict such pages or limit the space taken up by streaming media on business networks, this is particularly useful. Signature-based firewalls can not detect and obstruct HTTPS traffic without DPI capability, so it is made unidentifiable because it is encrypted. However, you’ll need to invest in a firewall with higher computing capacity for deep packet inspection.
Wrapping Up the Topic of SSL Inspection
We hope this article addressed your question about “What is SSL inspection?” and gave you a greater understanding of how it operates and what its advantages and disadvantages are. Of course, possessing this SSL inspection expertise will leave you asking whether you can investigate the HTTPS traffic inside your company to detect ransomware, or with your fingers crossed, keep the status quo.
HTTPS inspection is the logical alternative from a theoretical viewpoint which can be adopted beyond the shadow of a doubt. However, because the use of a middlebox could potentially undermine security (depending on how it treats TLS links and whether it follows the new cryptographic standards), its implementation is a decision that needs to be carefully discussed before you step one direction or the other.