Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

To inspect or to not inspect SSL: Why is this even a question?

April 20, 2017 - 3 min read

Over half of the Internet today uses SSL (TLS) to encrypt traffic between your application and the server on the internet.  By the end of 2016, 80% of all traffic across Google properties was encrypted, and here at Zscaler, between 55-60% of all traffic that traverses our cloud is encrypted.

This is meant to keep your private information private.  That also means that you can be infected by malware hiding in SSL traffic, and even use SSL to communicate with C&C servers.  You can look at the news websites at any given moment and see the latest security breach.  With the risk to your data, your business, and your reputation how can you afford to let hackers remain hidden and private?  You can’t.

I’m a privacy and an encryption advocate. However, given the ease with which bad actors can obtain, and then misuse, SSL certificates, it’s vitally important that businesses inspect this traffic.  That may sound like tricky thing to balance with the fact that I’m suggesting you must inspect traffic inside of that encryption to protect your very survival. In fact, fifty-four percent of the threats that we stop at Zscaler are hiding inside encrypted traffic; you can read our recent research on the threats that hid in SSL traffic .  If you’re interested in security you’ve probably noticed the CERT notice and blog about the risks of SSL inspection.  I can sum it up reasonably well in saying “if you implement inspection poorly you could create new exposure”, or perhaps even better, my favorite phrase “ you can configure anything to not work.”

If SSL inspection is crucial to protect the security of your enterprise, how do you also protect the privacy of your data and of your employees?  Here are some simple guidelines to protect everyone:

  • Ensure your proxy has some key capabilities:

    • Block undecryptable traffic

    • Block traffic from sites with untrusted or revoked certificates

    • Block weak and deprecated encryption ciphers while adding modern strong ciphers with a phased in approach

    • Have sufficient capacity to inspect ALL traffic while opting out per your business policy specific sites, applications, domains out of SSL inspection

    • Scale your proxy so it can inspect scan and encrypt traffic on the same box or service

  • Ensure you have key policies and procedures:

    • Centralized administration of scanning policies and settings to avoid misconfigurations letting malware through

    • Lock down and periodically verify the trusted root certificate list on devices, or provide the same off-network protection for those devices that you do when they're on network.

    • Limited access to the network including appliances, credentials, switches, routers, etc.

As the world moves nearly ubiquitously to SSL/TLS your security posture must also adapt. Proper classification and maintenance of IP and Hostname lists are useful tools in your defense strategy; the only question around SSL inspection is how soon you can get started.

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

Exceptional Customer Experiences Begin at Home
Exceptional Customer Experiences Begin at Home
Read Post
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
Read Post
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Read Post
Cloud Compliance
The Impact of Public Cloud Across Your Organization
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.