What is SSL Inspection?
SSL inspection is the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server. The inspection of SSL traffic has become critically important as the vast majority of internet traffic is SSL encrypted, including malicious content.
Zscaler ThreatLabZ observed an increase of more than 400 percent in phishing attacks delivered over the SSL channel in 2018 when compared to 2017. Attackers continue to leverage the encrypted channel for delivering malware, C&C activity, and exfiltrating sensitive information from their victims.
The good and the bad
The cryptographic protocol known as Secure Sockets Layer (SSL) —originally developed in 1994—and its successor Transport Layer Security (TLS) was designed to help secure communications and give organizations peace of mind about incoming traffic. In recent years, with the ever-increasing concerns over data privacy, there has been a massive trend toward internet properties having encryption by default. This is a great thing for privacy, but it presents a challenge to IT security. Decrypting, inspecting, and re-encrypting traffic is nontrivial, causing significant performance degradation on traditional security appliances, and most organizations are not equipped to inspect encrypted traffic at scale.
Bad actors know this, which is why SSL-based threats are on the rise. Though hackers have found many ways to infiltrate systems and steal data, breaking encryption remains difficult and time-consuming and is, therefore, an inefficient approach. Instead, they have begun to use encryption themselves to serve malicious content, hide malware, and carry out attacks without detection.
For years, the symbol of a lock next to a website’s URL address communicated that the site was secure, but it is no longer any guarantee of safety. Traffic moving through encrypted channels should not be trusted simply by virtue of a digital certificate. Once seen as the ultimate protection for data being transmitted over the internet, SSL has become the ultimate playground for cybercriminals to carry out their nefarious acts.
The process of SSL inspection
Encrypted traffic accounts for most corporate traffic, but many organizations only inspect some of their encrypted traffic, allowing traffic from content deliver networks (CDNs) and certain “trusted” sites to go uninspected. But that can be risky because webpages are not static. They are served up dynamically with personalized content that may consist of hundreds of objects obtained from multiple sources. Each object poses a potential threat and should be considered untrusted, regardless of source.
At the same time, cybercriminals are using encryption to hide their exploits. It’s become easy (and cheap!) to obtain a valid SSL certificate, making it easy for bad actors to hide their malicious content. So much so that 1.7 billion threats hidden in SSL traffic were blocked in a six-month span by the Zscaler Cloud. If you allow encrypted traffic to go uninspected, you are blind to a rising number of potential threats.
But, as mentioned earlier, it takes a lot of compute cycles to inspect SSL traffic, and the performance impact on a company’s infrastructure can be devastating. Companies can’t afford to bring business and workflows to a grinding halt, so they have no choice but to bypass inspection by appliances that can’t keep up with processing demands or the volume.
This table shows the common ways to inspect SSL traffic and their key considerations.
Method of SSL inspection
Next-Gen Firewall (NGFW)
How it works
A simple hardware device copies all network traffic for offline analysis, including SSL inspection.
Network connections stream through an NGFW appliance with only packet-level visibility, which limits the detection of threats.
Two separate connections are created between client and server, with full inspection across network flow and session.
Impact of SSL inspection
Hardware TAP requires expensive hardware (e.g., 10G network TAPs) to ensure all traffic is copied at full line rate without any data loss.
It can only see a small portion of malware, allowing malware to be delivered in segmented pieces. It needs an additional proxy function (bolt-on). Typically, it experiences performance losses when additional functionality (e.g., threat prevention) is enabled.
It allows an entire object to be reassembled and scanned. It allows for scanning by additional threat detection engines, such as sandbox and DLP.
Impact on these methods once TLS 1.3 is in use
Retrospectively inspecting SSL will no longer work due to “perfect forward secrecy,” that requires new keys for every SSL session and is mandated by TLS 1.3.
It adds to performance loss. Appliance refresh is required to achieve the original claimed performance due to the higher performance and scale requirements of new TLS 1.3 ciphers.
Appliance refresh required to meet the performance and scale needs of new TLS 1.3.
How Zscaler does it?
The Zscaler Cloud Security platform enables complete SSL inspection at scale, without latency and capacity limitations. By pairing SSL inspection with Zscaler’s complete security stack as a cloud service, you get improved protection without the inspection limitation of appliances.
Zscaler does full inbound and outbound content analysis, and provides unlimited capacity to inspect all your traffic, including SSL. Every user, no matter where they connect from — on or off-network — gets the same protection.