Zpedia / What Is SSL Decryption?

What Is SSL Decryption?

SSL decryption is the process of unscrambling encrypted traffic to check it for cyberthreats as part of a full SSL inspection procedure. It’s a vital network security capability for modern organizations since the overwhelming majority of web traffic is now encrypted, and some cybersecurity analysts estimate more than 90% of malware may now hide in encrypted channels.

Report: Understand the state of encrypted attacks

Why Is SSL Decryption Important?

With the growing popularity of the cloud and SaaS apps, it’s become more likely that a given file or string of data will traverse the internet at some point. If that data is confidential or sensitive, it could be a target. Encryption, therefore, is essential to keeping people and data safe. That’s why most browsers, websites, and cloud apps today encrypt outgoing data as well as exchange that data over encrypted connections.

Of course, it works both ways—if sensitive data can use encryption to hide, then threats can, too. This makes effective SSL decryption equally essential as it enables an organization to fully inspect the contents of decrypted traffic before either blocking it or re-encrypting it so that it can continue on its way.

SSL vs. TLS

Time for a disambiguation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that govern encryption and transmission of data between two points. So, what’s the difference?

The now-defunct Netscape developed SSL in the 1990s, releasing SSL 3.0 in late 1996. TLS 1.0, based on an improved version of SSL 3.0, came about in 1999. TLS 1.3, released by the Internet Engineering Task Force (IETF) in 2018, is the most recent and secure version as of this writing. Today, SSL is no longer developed or supported—by 2015, the IETF had declared all versions of SSL deprecated due to vulnerabilities (e.g., to man in the middle attacks) and lack of critical security features.

Despite this and decades of change, outside of a strictly technical sense, most people still say “SSL” as a catch-all for cryptographic protocols. In other words, when you see SSL, TLS, SSL/TLS, HTTPS, and so on, they all mean the same thing most of the time. For the purposes of this article, we’ll clarify as needed.

Benefits of SSL Decryption

Implementing SSL decryption and inspection helps today’s organizations keep their end users, customers, and data safe, with the ability to:

  • Prevent data breaches by finding hidden malware and stopping hackers from sneaking past defenses
  • See and understand what employees are sending outside of the organization, intentionally or accidentally
  • Meet regulatory compliance requirements, ensuring employees aren’t putting confidential data at risk
  • Support a multilayered defense strategy that keeps the entire organization secure

Between January and September of 2021, Zscaler blocked 20.7 billion threats over HTTPS. This represents an increase of more than 314 percent from the 6.6 billion threats blocked in 2020, which itself was a nearly 260 percent increase from the year before.

ThreatLabz: The State of Encrypted Attacks, 2021

The Need for SSL Decryption

Despite increased encryption usage, many organizations still inspect only some of their SSL/TLS traffic, allowing traffic from content delivery networks (CDNs) and certain “trusted” sites to go uninspected. This can be risky because:

  • Webpages can change easily. Some draw from multiple sources to display hundreds of objects, each of which should be considered untrusted, no matter its source.
  • Malware authors often use encryption to hide their exploits. With more than 100 certificate authorities around the globe today, it’s easy and inexpensive to obtain a valid SSL certificate.
  • Most traffic is encrypted. At any given time, around 70% of traffic the Zscaler Cloud processes is encrypted, accentuating the importance of being able to decrypt SSL traffic.

So, why doesn’t everybody do it? Simply, it takes a lot of computation to decrypt, inspect, and re-encrypt SSL traffic, and without the right technology, it can devastate your network’s performance. Most companies can’t afford to grind business and workflows to a halt, so they have no choice but to bypass inspection by appliances that can’t keep up with the processing demands.

How SSL Decryption Works

There are a few different approaches to SSL decryption and inspection. Let’s look at the most common ones and key considerations for each.

Method of SSL inspection

1

  • Terminal Access Point (TAP) mode

    A simple hardware device copies all network traffic for offline analysis, including SSL inspection.

  • Next-Generation Firewall (NGFW)

    Network connections stream through an NGFW with only packet-level visibility, which limits threat detection.

  • Proxy

    Two separate connections are created between client and server, with full inspection across network flow and sessions.

2

  • Terminal Access Point (TAP) mode

    Expensive hardware (e.g., 10G network TAPs) is required to ensure all traffic is copied at full line rate without data loss.

  • Next-Generation Firewall (NGFW)

    NGFWs only see a fraction of malware, allowing it to be delivered in pieces. They require bolt-on proxy functionality and tend to underperform when key features like threat prevention are enabled.

  • Proxy

    Entire objects can be reassembled and scanned, allowing for scanning by additional threat detection engines, such as sandbox and DLP.

3

  • Terminal Access Point (TAP) mode

    Retrospective SSL inspection no longer works due to “perfect forward secrecy,” which requires new keys for every SSL session.

  • Next-Generation Firewall (NGFW)

    Performance drops notably due to the higher performance and scale requirements of TLS 1.3 ciphers, requiring a hardware upgrade to overcome.

  • Proxy

    In the case of a cloud proxy delivered as a service, no appliance refresh is required on the customer side to meet TLS 1.3 performance and scale needs.

SSL Decryption Best Practices

The need to implement an SSL decryption and inspection function to protect your organization has become too great to ignore. Even so, there are important things to consider—some more technical than others—as you deploy SSL inspection:

  • Start with a small location or test lab to ensure your team understands the feature, and that it works as intended, before enabling it more broadly.
  • To reduce troubleshooting, consider updating your end user notifications to inform users of the new SSL inspection policy.
  • (Optional) When defining SSL inspection policy, create a list of URLs and URL categories as well as cloud apps and cloud app categories for which SSL transactions will not be decrypted.
  • At first, only enable inspection for risky categories—adult content and gambling, for instance, or those that pose privacy or liability risks. Then, when ready, enable inspection for all URL categories except finance and health to allay privacy concerns.
  • Take note of applications your organization uses that leverage certificate pinning, where the application will accept only one specific client certificate. These apps might not work with SSL inspection, so you’ll need to include them in the list of what not to decrypt.
  • Enable user authentication to allow your SSL inspection service to apply user policies.

What About the Privacy Implications of SSL Inspection?

SSL decryption and inspection can drastically improve your security hygiene, but it might not be as simple as decrypting everything. Depending on your industry, region, and the laws and regulations you’re subject to, you may deal with certain traffic that shouldn’t be decrypted, such as medical or financial data. In this case, you’ll need to configure filters and policies to keep these types of connections private.

Outside of legal and regulatory concerns, your organization should generally inspect as much SSL traffic as possible to reduce risk and keep your users and data safe.

Zscaler and SSL Decryption

The Zscaler Zero Trust Exchange™ platform enables complete SSL inspection at scale without latency or capacity limitations. By pairing SSL inspection with our complete security stack as a cloud service, you get superior protection without the constraints of appliances.

Unlimited Capacity

Inspect all your users’ SSL traffic, on or off network, with a service that elastically scales to meet your traffic demands.

Leaner Administration

Stop managing certificates individually across all gateways. Certificates uploaded to the Zscaler Cloud are immediately available in 150+ Zscaler data centers worldwide.

Granular Policy Control

Ensure compliance with the flexibility to exclude encrypted user traffic for sensitive website categories such as healthcare or banking.

Safety and Security

Stay covered with support for the latest AES/GCM and DHE cipher suites for perfect forward secrecy. User data is never stored in the cloud.

Simplified Certificate Management

Use our certificates or bring your own. Use our API to easily rotate your certificates as often as needed.

Ready to learn more about how you can inspect encrypted traffic without limitations and costly appliances? See how Zscaler SSL Inspection can help.

Suggested Resources