By: Mike Ruiz

To inspect or to not inspect SSL: Why is this even a question?

Over half of the Internet today uses SSL (TLS) to encrypt traffic between your application and the server on the internet.  By the end of 2016, 80% of all traffic across Google properties was encrypted, and here at Zscaler, between 55-60% of all traffic that traverses our cloud is encrypted.

This is meant to keep your private information private.  That also means that you can be infected by malware hiding in SSL traffic, and even use SSL to communicate with C&C servers.  You can look at the news websites at any given moment and see the latest security breach.  With the risk to your data, your business, and your reputation how can you afford to let hackers remain hidden and private?  You can’t.

I’m a privacy and an encryption advocate. However, given the ease with which bad actors can obtain, and then misuse, SSL certificates, it’s vitally important that businesses inspect this traffic.  That may sound like tricky thing to balance with the fact that I’m suggesting you must inspect traffic inside of that encryption to protect your very survival. In fact, fifty-four percent of the threats that we stop at Zscaler are hiding inside encrypted traffic; you can read our recent research on the threats that hid in SSL traffic .  If you’re interested in security you’ve probably noticed the CERT notice and blog about the risks of SSL inspection.  I can sum it up reasonably well in saying “if you implement inspection poorly you could create new exposure”, or perhaps even better, my favorite phrase “ you can configure anything to not work.”

If SSL inspection is crucial to protect the security of your enterprise, how do you also protect the privacy of your data and of your employees?  Here are some simple guidelines to protect everyone:

  • Ensure your proxy has some key capabilities:

    • Block undecryptable traffic

    • Block traffic from sites with untrusted or revoked certificates

    • Block weak and deprecated encryption ciphers while adding modern strong ciphers with a phased in approach

    • Have sufficient capacity to inspect ALL traffic while opting out per your business policy specific sites, applications, domains out of SSL inspection

    • Scale your proxy so it can inspect scan and encrypt traffic on the same box or service

  • Ensure you have key policies and procedures:

    • Centralized administration of scanning policies and settings to avoid misconfigurations letting malware through

    • Lock down and periodically verify the trusted root certificate list on devices, or provide the same off-network protection for those devices that you do when they're on network.

    • Limited access to the network including appliances, credentials, switches, routers, etc.

As the world moves nearly ubiquitously to SSL/TLS your security posture must also adapt. Proper classification and maintenance of IP and Hostname lists are useful tools in your defense strategy; the only question around SSL inspection is how soon you can get started.

Learn more about Zscaler.