TLS/SSL inspection is the process of intercepting malicious activity that is embedded in encrypted communication. Learn more.Using HTTPS to encrypt internet traffic with SSL/TLS certificates protects private and sensitive information as it travels across the world wide web. In that process, encryption transforms all data into an indecipherable format to protect it from eavesdropping and data tampering.
However, while encryption protects legitimate data as it moves across the internet, encryption can also be used by cybercriminals to disguise malicious content as legitimate. Hiding malicious content in encrypted traffic allows malware to go unnoticed by common security mechanisms to enact cyberattacks. In fact, malware authors are increasingly using encryption to hide their exploits because it has become relatedly easy and inexpensive to obtain a valid signed TLS certificate.
TLS/SSL Inspection is a security tactic that counters misuse of TLS certificates by filtering out potentially dangerous encrypted content such as malware. TLS inspection intercepts all traffic to conduct security measures—such as antivirus scanning, web filtering, and email filtering—to verify that the encrypted traffic is legitimate and not harmful.
What Is TLS/SSL?
Before we discuss the ins and outs of TLS inspection, it’s important to set the stage with a brief introduction of TLS encryption. Transport layer security (TLS) is a security protocol designed to facilitate privacy and data security for communications over the Internet. TLS is the latest version of the SSL (or secure socket security) protocol, which has since been deprecated. TLS/SSL ensures the secure online connection between two machines (typically, a server and client) by encrypting the data-in-transit, which is often referred as TLS/SSL encryption.
A primary use case for TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. In its role in creating and securing machine identities, TLS is a vital technology that has been the foundation of internet security since the early days of the web.
What is TLS/SSL inspection?
The inspection of encrypted traffic has become critically important as the vast majority of internet traffic is TLS encrypted, including malicious content. The use of TLS in HTTPS provides security for web traffic containing sensitive information. While this is valuable for user privacy, it is useful for cybercriminals as well. Malware is increasingly using HTTPS to hide its command and control communications.
TLS inspection intercepts TLS communications coming into or going out of a network for a company in a man-in-the-middle approach. The difference is that TLS inspection is a legitimate, internally sanctioned version of the same technique used in man-in-the-middle (MiTM) attacks, but it operates with the consent of both client and server.
This makes it possible for the company to check the flow for potentially hazardous data. Symmetric and asymmetric encryption are both used by TLS to safeguard the privacy and security of data while it is in transmission. A client and a server establish a secure session via asymmetric encryption, and during the secure session, information is exchanged using symmetric encryption.
How does TLS/SSL inspection work?
To put it in simple terms, TLS Inspection uses interception device to decrypt and inspect encrypted traffic. This interceptor sits in between the client and server, with all the traffic passing through it.
When the connection is made over HTTPS, the inspector intercepts all traffic, decrypts it and scans it. First, the interceptor establishes an TLS connection with the web server. Here, it decrypts and examines the data. Once the scanning is done, it creates another TLS connection—this time with the client (browser). This way, the data gets to the client in an encrypted format—the way it was intended originally.
Here’s an overview of the SSL Inspection process of inbound traffic:
- First, the middlebox intercepts the traffic coming and decrypts HTTPS sessions between clients and servers.
- Once the traffic has been decrypted, the middlebox inspects the content through antivirus scanning, web filtering, etc.
- Then the interceptor encrypts the traffic and forwards it to the destination, in this case the web server.
Risks of TLS/SSL inspection
You may run into problems as you begin to plan the deployment of TLS Inspection because of practical and technological issues. The following risks associated with TLS inspection:
- Ineffective decrypted traffic management: After communication has been encrypted, there is a chance that it will be handled improperly if it is transferred to another site such as an outward server for examination. There's a chance it can misdirect the data and expose critical information to untrusted or poorly secured systems.
- Reduced TLS security: A proxy that decrypts network activity to inspect it needs to establish a fresh HTTPS session before sending it to the intended receiver. However, the subsequent link in the link is not as reliable as the initial one. According to some studies, TLS Inspection solutions frequently permit a second channel with less robust encryption. This leads to inactive execution of the session or manipulation of vulnerabilities linked to less efficient TLS versions or cipher suites.
- Violation of the Certification Authority: TLS solutions contain an inbuilt certificate authority (CA) that issues and issues fresh certifications in order to establish all such HTTPS communications. With certification of TLS, the main concern is that the CA could be exploited to issue illegitimate certificates that are trusted by TLS clients which can enable an outsider to authenticate illicit software to get around hosting IDS/IPSs or establish harmful applications that imitate the original.
- A Single-Point Vulnerability: TLS inspection products are a prime target for attackers simply because there is decrypted communication present. Attackers can concentrate their targeting operations on a particular appliance where possible traffic that is valuable is decrypted instead of trying to take over each of various data sources.
- Exposure to Decrypted Traffic by Insiders: Some workers with bad intentions and independent contractors with permission to run the service might be lured to the vulnerable bottleneck of the TLS inspection process, other than the external attackers. Such authorized people might misuse their privileges to steal credentials and other private information that is exposed in the decrypted communication.
Best practices for TLS/SSL inspection
Employing a TLS inspection solution, transmitted data throughout the network is decrypted, examined, and provided access in order to find potential malicious software and unseen threats. If a specific website is regarded as reliable by the company or is connected with staff security including financial and medical services, some network activity are ignored as best practice. Additional internet traffic, generally coming from servers hosting online games or known spyware, is restricted for performance and safety considerations. Some additional best practices to employ in organizations to assist in lowering a company's susceptibility to such cyber dangers include:
- Inbound vs Outbound Inspection: Inbound inspection looks at traffic flowing to the client, while outbound inspection monitors traffic to the server. Inbound inspection can protect internal webservers by applying IPS (Intrusion Prevention System) protections.
- Respect Legitimate Privacy Concerns: Some types of data are protected under regulations like GDPR, PCI DSS, and HIPAA. The HTTPS inspection rules should be configured to ignore traffic likely to contain these types of sensitive data (i.e. to financial institutions, healthcare organizations, etc.).
- Recommended Bypass List: HTTPS inspection increases network latency and is unnecessary for certain trusted sites. An NGFW should have the ability to use an updateable bypass list to determine which traffic should not be inspected.
- Gateway Certificate: Import the gateway certificate so the endpoint browser will trust the security gateway certificate. This is essential for eliminating browser warnings and creating a seamless user experience.