What Is SSL Inspection? SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server. The inspection of SSL traffic has become critically important as the vast majority of internet traffic is SSL encrypted, including malicious content.

Navigate concerns around SSL inspection

Why Is SSL Inspection Important?

The popularity of SaaS apps and the cloud today means more data is traversing the internet, more often, exposing it to greater risk. Encryption, therefore, is an essential part of keeping confidential and sensitive data secure. That’s why most browsers, web servers, and cloud apps today encrypt outgoing data as well as exchange that data over HTTPS connections.

Unfortunately, it works both ways—if sensitive data can hide in HTTPS traffic, so can threats. This makes effective SSL inspection equally essential as it enables an organization to fully inspect the contents of decrypted traffic before either blocking it or re-encrypting it so that it can continue on its way.

Between January and September of 2021, Zscaler blocked 20.7 billion threats over HTTPS. This represents an increase of more than 314 percent from the 6.6 billion threats blocked in 2020, which itself was a nearly 260 percent increase from the year before.

ThreatLabz: The State of Encrypted Attacks, 2021

SSL vs. TLS

Time for a disambiguation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that govern encryption and transmission of data between two points. So, what’s the difference?

The now-defunct Netscape developed SSL in the mid-1990s, releasing SSL 3.0 in late 1996. TLS 1.0, based on an improved version of SSL 3.0, came about in 1999. TLS 1.3, released by the Internet Engineering Task Force (IETF) in 2018, is the most recent and secure version as of this writing. Today, SSL is no longer developed or supported—by 2015, the IETF had declared all versions of SSL deprecated due to vulnerabilities (e.g., to man in the middle attacks) and lack of critical security features.

Despite this and decades of change, outside of a strictly technical sense, most people still say “SSL” as a catch-all for cryptographic protocols. In other words, when you see SSL, TLS, SSL/TLS, HTTPS, and so on, they all mean the same thing most of the time. For the purposes of this article, we’ll clarify as needed.

Benefits of SSL Inspection

Implementing SSL inspection helps today’s organizations keep their end users, customers, and data safe, with the ability to:

  • Prevent data breaches by finding hidden malware and stopping hackers from sneaking past defenses
  • See and understand what employees are sending outside of the organization, intentionally or accidentally
  • Meet regulatory compliance requirements, ensuring employees aren’t putting confidential data at risk
  • Support a multilayered defense strategy that keeps the entire organization secure

The Need for SSL Inspection

SSL inspection is a vital network security capability for modern organizations since the overwhelming majority of web traffic is now encrypted, and some cybersecurity analysts estimate more than 90% of malware may now hide in encrypted channels.

Despite this increased encryption usage, many organizations still only perform SSL/TLS inspection on some of their traffic while allowing traffic from certain “trusted” sources to go uninspected. Because the internet can change so easily, this can be risky. Websites, for example, are delivered dynamically and can draw from multiple sources to display hundreds of objects, each of which may pose a threat.

Meanwhile, malware authors are increasingly using encryption to hide their exploits. With more than 100 SSL certificate authorities around the globe today, it’s easy and inexpensive to obtain a valid signed certificate. At any given time, around 70% of traffic the Zscaler Cloud processes is encrypted, accentuating the importance of being able to inspect SSL traffic.

So, why doesn’t everybody do it? Quite simply, decryption, inspection, and re-encryption of SSL traffic are highly compute-intensive, and without the right technology, the process can have a devastating impact on your network’s performance. Most companies can’t afford to grind business and workflows to a halt, so they have no choice but to bypass HTTPS inspection by appliances that can’t keep up with the processing demands.

Encryption and the Modern Threat Landscape

With mounting concerns over data privacy in recent years, there’s been a strong trend toward encryption by default. This is great for privacy, but the technical requirements—and in many cases, the pricing of the necessary hardware—are too much for many organizations. As a result, these organizations aren’t equipped to inspect encrypted traffic at scale.

Threat actors know this, so SSL-based threats are on the rise. Though hackers have found many ways to infiltrate systems and steal data, breaking encryption remains difficult and time-consuming and is, therefore, an inefficient approach. Instead, they have begun to use encryption themselves to serve malicious content, hide malware, and carry out attacks without detection.

For years, the symbol of a lock next to a website’s URL address communicated that the site was secure, but it is no longer any guarantee of safety. Traffic moving through encrypted channels should not be trusted simply by virtue of a digital certificate. Once seen as the ultimate protection for data being transmitted over the internet, SSL has become the ultimate playground for cybercriminals to carry out their nefarious acts.

As of June 2020, 96 percent of the pages on Google Chrome in the U.S. were loaded using encryption (HTTPS).

Google Transparency Report

How SSL Inspection Works

There are a few different approaches to SSL decryption and inspection. Let’s look at the most common ones and key considerations for each.

Method of SSL inspection

How it works
  • Terminal Access Point (TAP) mode

    A simple hardware device copies all network traffic for offline analysis, including SSL inspection.

  • Next-Generation Firewall (NGFW)

    Network connections stream through an NGFW with only packet-level visibility, which limits threat detection.

  • Proxy

    Two separate connections are created between client and server, with full inspection across network flow and sessions.

Impact of SSL inspection
  • Terminal Access Point (TAP) mode

    Expensive hardware (e.g., 10G network TAPs) is required to ensure all traffic is copied at full line rate without data loss.

  • Next-Generation Firewall (NGFW)

    NGFWs only see a fraction of malware, allowing it to be delivered in pieces. They require bolt-on proxy functionality and tend to underperform when key features like threat prevention are enabled.

  • Proxy

    Entire objects can be reassembled and scanned, allowing for scanning by additional threat detection engines, such as sandbox and DLP.

Impact on these methods once TLS 1.3 is in use
  • Terminal Access Point (TAP) mode

    Retrospective SSL inspection no longer works due to “perfect forward secrecy,” which requires new keys for every SSL session.

  • Next-Generation Firewall (NGFW)

    Performance drops notably due to the higher performance and scale requirements of TLS 1.3 ciphers, requiring a hardware upgrade to overcome.

  • Proxy

    In the case of a cloud proxy delivered as a service, no appliance refresh is required on the customer side to meet TLS 1.3 performance and scale needs.

For a more specific explanation, we can dig into how it works on the Zscaler platform. When you enable SSL inspection with Zscaler, the process looks like this:

  1. A user opens a browser and sends an HTTPS request.

  2. The Zscaler service intercepts the HTTPS request. Through a separate SSL tunnel, the service sends its own HTTPS request to the destination server and conducts SSL negotiations.

  3. The destination server sends the Zscaler service its certificate with its public key.

  4. The Zscaler service and destination server complete the SSL handshake. The application data and subsequent messages are sent through the SSL tunnel.

  5. The Zscaler service conducts SSL negotiations with the user’s browser. It sends the browser the Zscaler intermediate certificate or your organization’s custom intermediate root as well as a server certificate signed by the Zscaler intermediate CA. The browser validates the certificate chain in the browser's certificate store.

  6. The Zscaler service and the browser complete the SSL handshake. The application data and subsequent messages are sent through the SSL tunnel.

Zscaler and SSL Inspection

The Zscaler Zero Trust Exchange™ platform enables complete SSL inspection at scale without latency or capacity limitations. By pairing SSL inspection with our complete security stack as a cloud service, you get superior protection without the constraints of appliances.

Unlimited Capacity

Inspect all your users’ SSL traffic, on or off network, with a service that elastically scales to meet your traffic demands.

Leaner Administration

Stop managing certificates individually across all gateways. Certificates uploaded to the Zscaler Cloud are immediately available in 150+ Zscaler data centers worldwide.

Granular Policy Control

Ensure compliance with the flexibility to exclude encrypted user traffic for sensitive website categories such as healthcare or banking.

Safety and Security

Stay covered with support for the latest AES/GCM and DHE cipher suites for perfect forward secrecy. User data is never stored in the cloud.

Simplified Certificate Management

Use our certificates or bring your own. Use our API to easily rotate your certificates as often as needed.

Ready to learn more about how you can inspect encrypted traffic without limitations and costly appliances? See how Zscaler SSL Inspection can help.

Suggested Resources