TLS inspection is a security process that involves intercepting and examining encrypted TLS (Transport Layer Security) traffic between clients and servers. It decrypts the traffic to check for malicious content or vulnerabilities before re-encrypting and forwarding it to its destination, ensuring both security compliance and the integrity of data in transit. This process is performed with the consent of all parties involved.
TLS inspection intercepts TLS communications coming into or going out of a network for a company in a man-in-the-middle approach. The difference is that TLS inspection is a legitimate, internally sanctioned version of the same technique used in man-in-the-middle (MiTM) attacks, but it operates with the consent of both client and server. This security tactic counters misuse of TLS certificates by filtering out potentially dangerous encrypted content such as malware. TLS inspection intercepts all traffic to conduct security measures—such as antivirus scanning, web filtering, and email filtering—to verify that the encrypted traffic is legitimate and not harmful.
This makes it possible for the company to check the flow for potentially hazardous data. Symmetric and asymmetric encryption are both used by TLS to safeguard the privacy and security of data while it is in transmission. A client and a server establish a secure session via asymmetric encryption, and during the secure session, information is exchanged using symmetric encryption.
The inspection of encrypted traffic has become critically important as the vast majority of internet traffic is TLS encrypted, including malicious content. The use of TLS in HTTPS provides security for web traffic containing sensitive information. While this is valuable for user privacy, it is useful for cybercriminals as well. Malware is increasingly using HTTPS to hide its command and control communications.
SSL/TLS Certificates and Their Prevalence on the Dark Web
What Is TLS/SSL?
Before we discuss the ins and outs of TLS inspection, it’s important to set the stage with a brief introduction of TLS encryption. Transport layer security (TLS) is a security protocol designed to facilitate privacy and data security for communications over the Internet. TLS is the latest version of the SSL (or secure socket security) protocol, which has since been deprecated. TLS/SSL ensures the secure online connection between two machines (typically, a server and client) by encrypting the data-in-transit, which is often referred as TLS/SSL encryption.
A primary use case for TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. In its role in creating and securing machine identities, TLS is a vital technology that has been the foundation of internet security since the early days of the web.
Learn more about TLS certificates ->
Learn more about SSL certificates ->
How does TLS/SSL inspection work?
TLS Inspection involves using interception devices to decrypt and examine encrypted traffic. An interceptor is positioned between the client and server, allowing it to analyze all the traffic that passes through.
When a connection is established over HTTPS, the inspector intercepts, decrypts, and scans all the traffic. Initially, the interceptor forms a TLS connection with the web server, during which it decrypts and inspects the data. After the data has been thoroughly scanned, the interceptor establishes a new TLS connection, this time with the client (browser). This process ensures that the data is delivered to the client in its intended encrypted format.
Here is a summary of the TLS/SSL inspection process for inbound traffic:
- The interception device, or middlebox, captures incoming traffic and decrypts the HTTPS sessions between clients and servers. After decrypting the traffic, the middlebox scrutinizes the content using antivirus scans, web filtering, and other security measures. Once the inspection is complete, the interceptor re-encrypts the traffic and sends it onward to its intended destination, typically the web server.
Risks of TLS/SSL inspection
As you plan to implement TLS Inspection, you may encounter practical and technological challenges that pose several risks:
- Ineffective Management of Decrypted Traffic: There's a risk that once the traffic has been decrypted, it might be mishandled if transferred to another site, such as an external server for further analysis. This could misdirect data and expose sensitive information to unsecured or vulnerable systems.
- Compromised TLS Security: A proxy involved in decrypting network traffic to conduct inspections must establish a new HTTPS session before it sends the data to the intended recipient. However, this subsequent connection may not be as secure as the original, often leading to vulnerabilities. Some studies suggest that TLS Inspection can result in a secondary communication channel that uses weaker encryption, thereby exposing the session to potential manipulation or exploitation of lesser-secure TLS versions or cipher suites.
- Certification Authority Violation: TLS solutions include a built-in Certificate Authority (CA) that issues new certificates to facilitate HTTPS communications. A significant risk here is the potential misuse of this CA to issue unauthorized certificates. Such certificates can be mistakenly trusted by TLS clients, allowing external entities to bypass intrusion detection systems (IDS/IPS) or to launch malicious applications mimicking legitimate software.
- Single-Point Vulnerability: TLS inspection systems are especially vulnerable to attacks because they deal with decrypted communication. Attackers might focus their efforts on these systems to access decrypted, valuable traffic instead of attempting to breach multiple data sources.
- Insider Threats to Decrypted Traffic: There is also the risk of insider threats, where employees or contractors with access to the TLS inspection system might exploit this access. They could potentially access and steal credentials and other sensitive data revealed during the decryption process, leveraging their authorized access to the system.
Best practices for TLS/SSL inspection
Implementing a TLS inspection solution involves decrypting, scrutinizing, and granting access to data transmitted across the network to identify potential malware and hidden threats. As a best practice, network traffic from websites deemed trustworthy by the company or related to critical staff services, such as financial and medical services, may be exempted from inspection. Additionally, traffic typically originating from servers known for hosting online games or containing spyware is restricted to enhance both performance and security. To further reduce a company's vulnerability to cyber threats, it is recommended that organizations adopt these and other best practices tailored to bolster network security.
- Inbound vs Outbound Inspection: Inbound inspection looks at traffic flowing to the client, while outbound inspection monitors traffic to the server. Inbound inspection can protect internal webservers by applying IPS (Intrusion Prevention System) protections.
- Respect Legitimate Privacy Concerns: Some types of data are protected under regulations like GDPR, PCI DSS, and HIPAA. The HTTPS inspection rules should be configured to ignore traffic likely to contain these types of sensitive data (i.e. to financial institutions, healthcare organizations, etc.).
- Recommended Bypass List: HTTPS inspection increases network latency and is unnecessary for certain trusted sites. An NGFW should have the ability to use an updateable bypass list to determine which traffic should not be inspected.
- Gateway Certificate: Import the gateway certificate so the endpoint browser will trust the security gateway certificate. This is essential for eliminating browser warnings and creating a seamless user experience.
Enhance your network security with TLS/SSL Inspection With Venafi TLS Protect
TLS inspection is an important process for safeguarding your network against malicious content hidden within encrypted traffic. By intercepting and scrutinizing TLS communications, Venafi TLS Protect ensures the integrity of your data while identifying potential threats. Our solution provides comprehensive coverage, offering antivirus scanning, web filtering, and email filtering to verify the legitimacy of encrypted traffic. Don't leave your network vulnerable to cyber threats. Learn more about how Venafi TLS Protect can bolster your network security and protect your organization's sensitive data.
TLS Machine Identity Management for Dummies
Related posts