Resources > Security Terms Glossary > What Is SSL Inspection

What is SSL Inspection?

What is SSL inspection?

SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server. The inspection of SSL traffic has become critically important as the vast majority of internet traffic is SSL encrypted, including malicious content.

Zscaler ThreatLabZ observed an increase of more than 400 percent in phishing attacks delivered over the SSL channel in 2018 when compared to 2017. Attackers continue to leverage the encrypted channel for delivering malware, C&C activity, and exfiltrating sensitive information from their victims.
Zscaler™ Cloud Security Insights: An analysis of SSL/TLS-based threats, 2019

The good and the bad

The cryptographic protocol known as Secure Sockets Layer (SSL) —originally developed in 1994—and its successor Transport Layer Security (TLS) was designed to help secure communications and give organizations peace of mind about incoming traffic. In recent years, with the ever-increasing concerns over data privacy, there has been a massive trend toward internet properties having encryption by default. This is a great thing for privacy, but it presents a challenge to IT security. Decrypting, inspecting, and re-encrypting traffic is nontrivial, causing significant performance degradation on traditional security appliances, and most organizations are not equipped to inspect encrypted traffic at scale.

Bad actors know this, which is why SSL-based threats are on the rise. Though hackers have found many ways to infiltrate systems and steal data, breaking encryption remains difficult and time-consuming and is, therefore, an inefficient approach. Instead, they have begun to use encryption themselves to serve malicious content, hide malware, and carry out attacks without detection.

For years, the symbol of a lock next to a website’s URL address communicated that the site was secure, but it is no longer any guarantee of safety. Traffic moving through encrypted channels should not be trusted simply by virtue of a digital certificate. Once seen as the ultimate protection for data being transmitted over the internet, SSL has become the ultimate playground for cybercriminals to carry out their nefarious acts.

 
About half our stores are now using SSL interception and we expect to have that rollout completed within a few months. Some retail applications don’t play well with SSL inspection, so we had to ensure we didn’t interrupt any operations.
Jeff Johnson, Director of Security Operations, AutoNation
As of June 2020, 96 percent of the pages on Google Chrome in the U.S. were loaded using encryption (HTTPS).
Google Transparency Report

The process of SSL inspection

Encrypted traffic accounts for most corporate traffic, but many organizations only inspect some of their encrypted traffic, allowing traffic from content deliver networks (CDNs) and certain “trusted” sites to go uninspected. But that can be risky because webpages are not static. They are served up dynamically with personalized content that may consist of hundreds of objects obtained from multiple sources. Each object poses a potential threat and should be considered untrusted, regardless of source.

At the same time, cybercriminals are using encryption to hide their exploits. It’s become easy (and cheap!) to obtain a valid SSL certificate, making it easy for bad actors to hide their malicious content. So much so that 1.7 billion threats hidden in SSL traffic were blocked in a six-month span by the Zscaler Cloud. If you allow encrypted traffic to go uninspected, you are blind to a rising number of potential threats.

But, as mentioned earlier, it takes a lot of compute cycles to inspect SSL traffic, and the performance impact on a company’s infrastructure can be devastating. Companies can’t afford to bring business and workflows to a grinding halt, so they have no choice but to bypass inspection by appliances that can’t keep up with processing demands or the volume.

This table shows the common ways to inspect SSL traffic and their key considerations.

Method of SSL inspection
TAP mode
Next-Gen Firewall (NGFW)
Proxy
How it works
A simple hardware device copies all network traffic for offline analysis, including SSL inspection.
Network connections stream through an NGFW appliance with only packet-level visibility, which limits the detection of threats.
Two separate connections are created between client and server, with full inspection across network flow and session.
Impact of SSL inspection
Hardware TAP requires expensive hardware (e.g., 10G network TAPs) to ensure all traffic is copied at full line rate without any data loss.
It can only see a small portion of malware, allowing malware to be delivered in segmented pieces. It needs an additional proxy function (bolt-on). Typically, it experiences performance losses when additional functionality (e.g., threat prevention) is enabled.
It allows an entire object to be reassembled and scanned. It allows for scanning by additional threat detection engines, such as sandbox and DLP.
Impact on these methods once TLS 1.3 is in use
Retrospectively inspecting SSL will no longer work due to “perfect forward secrecy,” that requires new keys for every SSL session and is mandated by TLS 1.3.
It adds to performance loss. Appliance refresh is required to achieve the original claimed performance due to the higher performance and scale requirements of new TLS 1.3 ciphers.
Appliance refresh required to meet the performance and scale needs of new TLS 1.3.

Encryption, Privacy, and Data Protection: A Balancing Act

Read the White Paper
Encryption, Privacy, and Data Protection: A Balancing Act

Zscaler’s Security Stack as a Service with Unlimited SSL Inspection

Read the Data Sheet
Encryption, Privacy, and Data Protection: A Balancing Act

Making the Case For Inspecting Corporate SSL Traffic

Read the Blog
Encryption, Privacy, and Data Protection: A Balancing Act

How Zscaler does it

The Zscaler Cloud Security platform enables complete SSL inspection at scale, without latency and capacity limitations. By pairing SSL inspection with Zscaler’s complete security stack as a cloud service, you get improved protection without the inspection limitation of appliances.

Zscaler does full inbound and outbound content analysis, and provides unlimited capacity to inspect all your traffic, including SSL. Every user, no matter where they connect from — on or off-network — gets the same protection.

 

Additional resources: