Ready to learn more about how you can inspect encrypted traffic without limitations and costly appliances? See how Zscaler SSL Inspection can help.
- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
- Zenith Ventures Strategic cybersecurity investments
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
What Is SSL Decryption? SSL decryption is the process of unscrambling encrypted traffic to check it for cyberthreats as part of a full SSL inspection procedure. It’s a vital network security capability for modern organizations since the overwhelming majority of web traffic is now encrypted, and some cybersecurity analysts estimate more than 90% of malware may now hide in encrypted channels.
Report: Understand the state of encrypted attacksWhy Is SSL Decryption Important?
With the growing popularity of the cloud and SaaS apps, it’s become more likely that a given file or string of data will traverse the internet at some point. If that data is confidential or sensitive, it could be a target. Encryption, therefore, is essential to keeping people and data safe. That’s why most browsers, websites, and cloud apps today encrypt outgoing data as well as exchange that data over encrypted connections.
Of course, it works both ways—if sensitive data can use encryption to hide, then threats can, too. This makes effective SSL decryption equally essential as it enables an organization to fully inspect the contents of decrypted traffic before either blocking it or re-encrypting it so that it can continue on its way.
SSL vs. TLS
Time for a disambiguation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that govern encryption and transmission of data between two points. So, what’s the difference?
The now-defunct Netscape developed SSL in the 1990s, releasing SSL 3.0 in late 1996. TLS 1.0, based on an improved version of SSL 3.0, came about in 1999. TLS 1.3, released by the Internet Engineering Task Force (IETF) in 2018, is the most recent and secure version as of this writing. Today, SSL is no longer developed or supported—by 2015, the IETF had declared all versions of SSL deprecated due to vulnerabilities (e.g., to man in the middle attacks) and lack of critical security features.
Despite this and decades of change, outside of a strictly technical sense, most people still say “SSL” as a catch-all for cryptographic protocols. In other words, when you see SSL, TLS, SSL/TLS, HTTPS, and so on, they all mean the same thing most of the time. For the purposes of this article, we’ll clarify as needed.
Benefits of SSL Decryption
Implementing SSL decryption and inspection helps today’s organizations keep their end users, customers, and data safe, with the ability to:
- Prevent data breaches by finding hidden malware and stopping hackers from sneaking past defenses
- See and understand what employees are sending outside of the organization, intentionally or accidentally
- Meet regulatory compliance requirements, ensuring employees aren’t putting confidential data at risk
- Support a multilayered defense strategy that keeps the entire organization secure
Between January and September of 2021, Zscaler blocked 20.7 billion threats over HTTPS. This represents an increase of more than 314 percent from the 6.6 billion threats blocked in 2020, which itself was a nearly 260 percent increase from the year before.
ThreatLabz: The State of Encrypted Attacks, 2021
The Need for SSL Decryption
Despite increased encryption usage, many organizations still inspect only some of their SSL/TLS traffic, allowing traffic from content delivery networks (CDNs) and certain “trusted” sites to go uninspected. This can be risky because:
- Webpages can change easily. Some draw from multiple sources to display hundreds of objects, each of which should be considered untrusted, no matter its source.
- Malware authors often use encryption to hide their exploits. With more than 100 certificate authorities around the globe today, it’s easy and inexpensive to obtain a valid SSL certificate.
- Most traffic is encrypted. At any given time, around 70% of traffic the Zscaler Cloud processes is encrypted, accentuating the importance of being able to decrypt SSL traffic.
So, why doesn’t everybody do it? Simply, it takes a lot of computation to decrypt, inspect, and re-encrypt SSL traffic, and without the right technology, it can devastate your network’s performance. Most companies can’t afford to grind business and workflows to a halt, so they have no choice but to bypass inspection by appliances that can’t keep up with the processing demands.
How SSL Decryption Works
There are a few different approaches to SSL decryption and inspection. Let’s look at the most common ones and key considerations for each.
Method of SSL inspection
How it works
-
Terminal Access Point (TAP) mode
A simple hardware device copies all network traffic for offline analysis, including SSL inspection.
-
Next-Generation Firewall (NGFW)
Network connections stream through an NGFW with only packet-level visibility, which limits threat detection.
-
Proxy
Two separate connections are created between client and server, with full inspection across network flow and sessions.
Impact of SSL inspection
-
Terminal Access Point (TAP) mode
Expensive hardware (e.g., 10G network TAPs) is required to ensure all traffic is copied at full line rate without data loss.
-
Next-Generation Firewall (NGFW)
NGFWs only see a fraction of malware, allowing it to be delivered in pieces. They require bolt-on proxy functionality and tend to underperform when key features like threat prevention are enabled.
-
Proxy
Entire objects can be reassembled and scanned, allowing for scanning by additional threat detection engines, such as sandbox and DLP.
Impact after adoption of TLS 1.3
-
Terminal Access Point (TAP) mode
Retrospective SSL inspection no longer works due to “perfect forward secrecy,” which requires new keys for every SSL session.
-
Next-Generation Firewall (NGFW)
Performance drops notably due to the higher performance and scale requirements of TLS 1.3 ciphers, requiring a hardware upgrade to overcome.
-
Proxy
In the case of a cloud proxy delivered as a service, no appliance refresh is required on the customer side to meet TLS 1.3 performance and scale needs.
SSL Decryption Best Practices
The need to implement an SSL decryption and inspection function to protect your organization has become too great to ignore. Even so, there are important things to consider—some more technical than others—as you deploy SSL inspection:
- Start with a small location or test lab to ensure your team understands the feature, and that it works as intended, before enabling it more broadly.
- To reduce troubleshooting, consider updating your end user notifications to inform users of the new SSL inspection policy.
- (Optional) When defining SSL inspection policy, create a list of URLs and URL categories as well as cloud apps and cloud app categories for which SSL transactions will not be decrypted.
- At first, only enable inspection for risky categories—adult content and gambling, for instance, or those that pose privacy or liability risks. Then, when ready, enable inspection for all URL categories except finance and health to allay privacy concerns.
- Take note of applications your organization uses that leverage certificate pinning, where the application will accept only one specific client certificate. These apps might not work with SSL inspection, so you’ll need to include them in the list of what not to decrypt.
- Enable user authentication to allow your SSL inspection service to apply user policies.
What About the Privacy Implications of SSL Inspection?
SSL decryption and inspection can drastically improve your security hygiene, but it might not be as simple as decrypting everything. Depending on your industry, region, and the laws and regulations you’re subject to, you may deal with certain traffic that shouldn’t be decrypted, such as medical or financial data. In this case, you’ll need to configure filters and policies to keep these types of connections private.
Outside of legal and regulatory concerns, your organization should generally inspect as much SSL traffic as possible to reduce risk and keep your users and data safe.
Zscaler and SSL Decryption
The Zscaler Zero Trust Exchange™ platform enables complete SSL inspection at scale without latency or capacity limitations. By pairing SSL inspection with our complete security stack as a cloud service, you get superior protection without the constraints of appliances.
Unlimited Capacity
Inspect all your users’ SSL traffic, on or off network, with a service that elastically scales to meet your traffic demands.
Leaner Administration
Stop managing certificates individually across all gateways. Certificates uploaded to the Zscaler Cloud are immediately available in 150+ Zscaler data centers worldwide.
Granular Policy Control
Ensure compliance with the flexibility to exclude encrypted user traffic for sensitive website categories such as healthcare or banking.
Safety and Security
Stay covered with support for the latest AES/GCM and DHE cipher suites for perfect forward secrecy. User data is never stored in the cloud.
Simplified Certificate Management
Use our certificates or bring your own. Use our API to easily rotate your certificates as often as needed.
Suggested Resources
-
Find out What’s Hiding in Your Encrypted Traffic
Read the report -
ThreatLabz Research: 2021 State of Encrypted Attacks
Read the report -
The politics of TLS/SSL inspection
Read the blog