SSL Inspection Definition
SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server. The inspection of SSL traffic has become critically important as the vast majority of internet traffic is SSL encrypted, including malicious content.
SSL encryption scrambles data, making it unreadable until decrypted. This added layer of security helps protect sensitive information, but it can also conceal malicious communications that play a role in cyberattacks such as phishing, data breaches, distributed denial of service (DDoS), and many others.
In short, the same tool that confers security can also nurture insecurity. If sensitive data can hide in HTTPS traffic, so can threats. SSL inspection is therefore essential to enable an organization to fully inspect the contents of decrypted traffic before either blocking it or re-encrypting it so that it can continue on its way.
Between January and September of 2021, Zscaler blocked 20.7 billion threats over HTTPS. This represents an increase of more than 314 percent from the 6.6 billion threats blocked in 2020, which itself was a nearly 260 percent increase from the year before.
SSL vs. TLS
Time for a disambiguation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that govern encryption and transmission of data between two points. So, what’s the difference?
The now-defunct Netscape developed SSL in the mid-1990s, releasing SSL 3.0 in late 1996. TLS 1.0, based on an improved version of SSL 3.0, came about in 1999. TLS 1.3, released by the Internet Engineering Task Force (IETF) in 2018, is the most recent and secure version as of this writing. Today, SSL is no longer developed or supported—by 2015, the IETF had declared all versions of SSL deprecated due to vulnerabilities (e.g., to man in the middle attacks) and lack of critical security features.
Despite this and decades of change, outside of a strictly technical sense, most people still say “SSL” as a catch-all for cryptographic protocols. In other words, when you see SSL, TLS, SSL/TLS, HTTPS, and so on, they all mean the same thing most of the time. For the purposes of this article, we’ll clarify as needed.
Benefits of SSL Inspection
An SSL certificate can confer trust and authority, but as malicious actors conceal their attacks in encrypted traffic and channels, they’re effectively weaponizing the strengths of encryption, breaking the chains of that trust. That’s why today’s organizations need to implement SSL inspection to keep their end users, customers, and data safe.
SSL inspection can help modern organizations:
- Prevent data breaches by finding hidden malware and stopping hackers from sneaking past defenses
- Identify what employees are sending outside of the organization, intentionally or accidentally, and respond accordingly
- Meet regulatory compliance requirements by ensuring employees aren’t putting confidential data at risk
- Support a multilayered defense strategy that keeps the entire organization secure
The Need for SSL Inspection
Consider this: The overwhelming majority of web traffic is now encrypted, and some cybersecurity analysts estimate more than 90% of malware may now hide in encrypted channels.
With the popularity of SaaS apps and the cloud today, more data is traversing the internet, more often, exposing it to greater risk. Encryption, therefore, is an essential part of keeping confidential and sensitive data secure. That’s why most browsers, web servers, and cloud apps today encrypt outgoing data as well as exchange that data over HTTPS connections.
Despite this increased encryption usage, many organizations still only perform SSL/TLS inspection on some of their traffic while allowing traffic from certain “trusted” sources to go uninspected. Because the internet can change so easily, this can be risky. Websites, for example, can draw dynamically from multiple sources to display hundreds of objects, each of which may pose a threat.
Meanwhile, malware authors are increasingly using encryption to hide their exploits. With more than 100 SSL certificate authorities around the globe today, it’s easy and inexpensive to obtain a valid signed certificate. At any given time, around 70% of traffic the Zscaler Cloud processes is encrypted, underscoring the importance of being able to inspect inbound and outbound SSL traffic.
So, why doesn’t everybody do it? Quite simply, decryption, inspection, and re-encryption of SSL traffic are highly compute-intensive, and without the right technology, the process can have a devastating impact on your network’s performance. Most companies can’t afford to grind business and workflows to a halt, so they have no choice but to bypass HTTPS inspection by appliances that can’t keep up with the processing demands.
Encryption and the Modern Threat Landscape
With mounting concerns over data privacy in recent years, there’s been a strong trend toward encryption by default. This is great for privacy, but the technical requirements—and in many cases, the pricing of the necessary hardware—are too much for many organizations. As a result, these organizations aren’t equipped to inspect encrypted traffic at scale.
Threat actors know this, so SSL-based threats are on the rise. Though hackers have found many ways to infiltrate systems and steal data, breaking encryption remains difficult and time-consuming. Instead, they’ve begun to use encryption themselves to serve malicious content, hide malware, and carry out attacks without detection.
Certification Isn’t Salvation
For years, the symbol of a lock next to a website’s URL address communicated that the site was secure, but it is no longer any guarantee of safety. Traffic moving through encrypted channels should not be trusted simply by virtue of a digital certificate. Once seen as the ultimate way to secure data being transmitted over the internet, SSL has become yet another tool in the cybercriminal’s kit.
How Does SSL Inspection Work?
There are a few different approaches to SSL interception, decryption, and inspection, each with unique configuration requirements and means of handling SSL connections. Let’s look at the most common ones.
Method of SSL inspection
Terminal Access Point (TAP) mode
Next-Generation Firewall (NGFW)
How it works
A simple hardware device copies all network traffic for offline analysis, including SSL inspection.
Network connections stream through an NGFW with only packet-level visibility, which limits threat detection.
Two separate connections are created between client and server, with full inspection across network flow and sessions.
Impact of SSL inspection
Expensive hardware (e.g., 10G network TAPs) is required to ensure all traffic is copied at full line rate without data loss.
NGFWs only see a fraction of malware, allowing it to be delivered in pieces. They require bolt-on proxy functionality and tend to underperform when key features like threat prevention are enabled.
Entire objects can be reassembled and scanned, allowing for scanning by additional threat detection engines, such as sandbox and DLP.
Impact on these methods once TLS 1.3 is in use
Retrospective SSL inspection no longer works due to “perfect forward secrecy,” which requires new keys for every SSL session.
Performance drops notably due to the higher performance and scale requirements of TLS 1.3 ciphers, requiring a hardware upgrade to overcome.
In the case of a cloud proxy delivered as a service, no appliance refresh is required on the customer side to meet TLS 1.3 performance and scale needs.
For a more specific explanation, we can dig into how it works on the Zscaler platform. When you enable SSL inspection with Zscaler, the process looks like this:
A user opens a browser and sends an HTTPS request.
The Zscaler service intercepts the HTTPS request. Through a separate SSL tunnel, the service sends its own HTTPS request to the destination server and conducts SSL negotiations.
The destination server sends the Zscaler service its certificate with its public key.
The Zscaler service and destination server complete the SSL handshake. The application data and subsequent messages are sent through the SSL tunnel.
The Zscaler service conducts SSL negotiations with the user’s browser. It sends the browser the Zscaler intermediate certificate or your organization’s custom intermediate root as well as a server certificate signed by the Zscaler intermediate CA. The browser validates the certificate chain in the browser's certificate store.
The Zscaler service and the browser complete the SSL handshake. The application data and subsequent messages are sent through the SSL tunnel.
Zscaler and SSL Inspection
The Zscaler Zero Trust Exchange™ delivers complete SSL inspection as a native capability of our cloud-delivered security stack. As a result, you get superior, agile cloud security at scale, unhampered by the constraints of legacy appliances.
SSL inspection with the world’s largest security cloud offers you:
Inspect all your users’ SSL traffic, on or off network, with a service that elastically scales to meet your traffic demands.
Stop managing certificates individually across all gateways. Certificates uploaded to the Zscaler Cloud are immediately available in 150+ Zscaler data centers worldwide.
Granular Policy Control
Ensure compliance with the flexibility to exclude encrypted user traffic for sensitive website categories such as healthcare or banking.
Safety and Security
Stay covered with support for the latest AES/GCM and DHE cipher suites for perfect forward secrecy. User data is never stored in the cloud.
Simplified Certificate Management
Use our certificates or bring your own. Use our API to easily rotate your certificates as often as needed.
Ready to learn more about how you can inspect encrypted traffic without limitations and costly appliances? See how Zscaler SSL Inspection can help.