Log in
Log inSSL Inspection: What Is It? How Does It Operate?
SSL inspection is a rather controversial topic in the world of online security. Without a doubt, SSL certificates are a core component of internet safety that occurs around the world with each request for information from a website. SSL inspection may then be a concerning factor for some people.
Some people believe SSL inspection is not a safe idea and is just wrong. Others believe it is one of the best resources possible for the task at hand. No matter which side of the coin you are on, understanding what it is, why it is used, and how it operates can help you determine if this is the best tool for your specific needs and applications.
So, what is SSL inspection? Is SSL certificate inspection a good thing, and how does it work?
What Are SSL Certificates?
To answer these questions, let’s create a foundation of knowledge about what SSL certificates are and why they are used.
As noted by AWS, an SSL certificate, or Secured Sockets Layer, which was once called TLS or Transport Layer Security, is a type of protocol. An SSL certificate is a type of digital object (there are no actual pieces of paper lying around). Instead, it is a digital certificate that lets systems verify the other party’s identity. This then creates an encrypted network connection to another system.
In other words, certificates are used within a complex cryptographic system called the public key infrastructure (PKI). With PKI, the object is to create a safe way for one user to establish the identity of the another party. A certificate shows that there is trust because it comes from a third party. That third party is called a Certificate Authority (CA). Confused?
In short, an SSL certificate works as a type of digital identity care or passcode. It allows for secure communication between the parties by allowing for clarity in identifying the website over the internet. It can also be used to identify resources on private networks.
When an SSL certificate is present, it means the CA has verified the identity of the website as authentic or trusted. That allows for the transmission of data in a secure manner.
What Is SSL Inspection?
The topic we refer to is SSL inspection or sometimes HTTPS interception or TLS interception.
It is a process that intercepts SSL-encrypted internet communication between the client and the server. It can be executed between both the sender and the receiver (or the reverse of this). The process itself is the same as that used in what are called man-in-the-middle attacks or MiTM attacks. This process is done without the consent of both the sender and the receiver.
Right away, you may be thinking that SSL inspection is an underhand and wrong thing to do – it seems to eliminate the trust that is being created with the CA in the SSL certificates. There is a bit more to the process than that, and therefore, you should not just walk away at this point. More so, we have to understand why SSL is considered a good thing and when it may not be.
SSL is all good, right?
SSL encryption is certainly a good thing, and it provides a critical level of support for many transactions. With it, your private and sensitive data would be exposed to the world every time you made a purchase using a credit card online or entered a password to a website. All of this data is encrypted in an incredibly complex way so that it cannot be deciphered and, therefore, is fully protected from anyone who wants to tamper with that data or otherwise capture it.
Again, that sounds like a very good thing and not something you want to get in the way of if you are engaging in honorable actions. However, not everything about SSL certificates can be considered good.
In most situations, just good, legitimate information is being passed through this SSL certificate verification process. However, there are times when malicious content can also be hidden within that encrypted data. Because this process is fully encrypted, there is no way to know that the malicious data is hidden within that encrypted traffic.
What does that mean for actual use then?
It is possible for malicious information or data to be incorporated into the encryption process and hidden so well by it that it can slip right by the most common security mechanisms currently in place. That means that malicious data could ultimately reach your location and take whatever less-than-desirable action it wants to take.
In this situation, the SSL certificate is not going to stop that transaction because it does not know it is there.
Unfortunately, attacks like this, called SSL-type malware attacks, are more common today than they have been in the future. According to one resource, nearly 40% of malware – the data and code that can cause serious damage to any computer system – somes through using HTTPS protocol. That means that even though you believe you are safe, the fact is, you may not be.
Back to the question: What Is SSL Inspection going to do about this?
The goal of an SSL inspection is to inspect, find, and filter out all of the potential dangerous content that is being passed through the encryption process. That includes detecting malware before it gets to the end site.
This is often referred to as a Full SSL Inspection or, in some situations, a Deep SSL Inspection. In short, the concept is that it would enable you to scan through that information using web filtering or email filtering (or other types of strategies) to find and prevent malicious content from making its way through.
How can this be done when there’s so much encryption present in the first place? In short, it is done by a middlebox, or the entity in the middle working as an interception device.
It is an interesting concept, right? It also seems very important and valuable to anyone who may be worried about content moving through systems for all the wrong reasons. However, there is a bit more to it that you need to consider.
How Does SSL Inspection Actually Happen?
Now that you have an idea of the concept of SSL inspection consider what it does and how it works.
To be clear – and this may not sound like the ideal situation – an SSL inspection is a type of MiTM attack. It is used specifically with the purpose of filtering out the potential malicious content that is being passed through encryption.
This process is done by an SSL inspector or interception device. This device is located between the server and the client). The SSL inspector sits as a type of guard to ensure that nothing bad is heading through.
Consider it like a security guard at the airport. You have the metal detectors to scan for material that should not be brought through, but even in some situations, it can squeak by. With the inspector – or agent who pats people down – there is another layer of security that aims to really dig in and find any type of problematic information or malicious information that is being passed through. The difference here is that this process is all digital. The interceptor captures all traffic passing through it and ensures it is safe to move forward.
How does it work?
Once there is a connection made over HTTPS, the SSL inspector intercepts all traffic that is coming through it. It then decrypts that information and scans it. Then, the SSL interceptor will establish an SSL connection with the end web server.
In doing this, it decrypts and examines the data (this is all done very quickly, so there is no delay in the process). However, once all of the scanning is complete, another SSL connection is created. This time, it is done with the client or the browser, more specifically.
This means that the data gets to the client in the necessary and expected encrypted format, and only what was intended to be sent actually makes it there, leaving all malicious information behind.
How the SSL Break and Inspect Process Works
This SSL inspection process is established in advance to create this level of security. In short, it follows this process for all inbound traffic:
1. Intercept
The first step occurs when the middlebox, or SSL inspector intercepts the traffic that is coming into it. It then decrypts the HTTPS sessions between the client (browser) and the servers.
2. Inspects it
The next step is the actual inspection. The middlebox will inspect the content. This is done using antivirus scanning as well as other tools put into place – based on the risk factors believed present such as web filtering. All of the data is scanned as desired.
3. Encryption
The next step involves the encryption of that traffic again. The SSL inspector encrypts the traffic and then sends it on to where it was supposed to go, such as the web server.
In many ways, SSL inspection works in just the same way for outbound traffic. It makes sense and can provide a significant amount of insight into what is being transferred between the client and server as a result.
The Problem with SSL Inspection
It certainly seems like SSL inspection is a good thing, and there is no reason not to use it. However, the entire process is not always done above the board. That is, there are some instances in which it is not being used in the best way.
Some people even say that SSL inspection like this is hurting security that was put in place by SSL certificates in the first place.
One example of this was a research team that, in 2017, studied the entire process. They found that SSL inspection was actually likely creating more of a problem and creating harm, in fact, than it was doing anything actually beneficial.
How could they say that?
They studied 8 billion SSL handshakes or connections in which data was being sent through HTTPS and SSL certificates. They looked at that data to determine when there was an SSL interceptor present and when there was not.
Remember that, in most cases, you want the SSL certification process to move forward without limitation or hassle. However, this team found that nearly 11% of all observed connections were, in fact, intercepted.
If that many connections were being intercepted, it would be hard to believe in and trust HTTPS connections as being safe in the first place. Remember, too, that this process can be used for less-than-desirable reasons. The research team delivered that these interceptions were creating a weakened HTTPS process because they used outdated cryptography and did not put in place features to minimize risk.
How could it weaken the process when it should seem to be improving security?
The study showed that there is some real risk present. In fact, about two-thirds of the data that goes through a middlebox (the SSL interceptor) has a lowered level of security, and about 58% of these transactions have severe vulnerabilities. A number of factors, such as the use of antivirus protections and corporate proxies, bring this on. All of these reduce the connection security. That means that they can introduce vulnerabilities into the system – exactly what you are hoping to avoid by using an SSL certificate.
This is something to keep in mind as you consider SSL inspection.
What Are the Benefits of Using SSL Inspection?
Ultimately, utilizing SSL inspection does have some benefits. It is often used by companies and organizations that want to protect their data further. It can be used by the same organizations to protect servers and, ultimately, to operate in a safer plane.
When incorporated properly and when used with the utmost care, SSL inspections can offer several benefits:
- Prevent employee access to malicious content on other websites. In short, this process can work to prevent employees from visiting a dangerous website that could infect the network and bring the company’s system down.
- Stop some types of attacks. The use of SSL certification can also help to spot and then stop some types of malicious attacks. That includes DDoS attacks, which are considered some of the most worrisome.
- Monitor for volume. Another way it can be set up and used is to spot unusually high amounts of data that could be moving through the network. This could provide indications that someone is tapping into data that should not be transferred.
- Filter out specifics. You can also use SSL inspection as a way to filter out specific IP addresses, locales, or specific users.
Remember the basics here:
- SSL certificates help to improve security.
- SSL certificates do not guarantee complete safety.
If your business or organization wants to add a way to reduce the risk of bad actors accessing the content on your network or prevent others from accessing dangerous information, you absolutely need to consider all possible layers of security, including SSL inspections.
How Can You Utilize SSL Inspection for Your Needs?
Remember that the SSL inspection process places an interception proxy between the client endpoint and the server endpoint. We call this the middlebox. This is where the data is decrypted and inspected before moving forward.
This hardware or software is placed between the client and the server. Because nearly all content today is sent using SSL encryption, the only way to actually decrypt and inspect it is through some method of catching it.
You can imagine that if you are going to go through this extra step in the process it is going to slow things down drastically. Ultimately, most companies can only utilize these tools for some information and some content – otherwise, the movement of information becomes too limited. Most often, only the traffic that is coming from locations considered untrusted is put at risk.
There is no foolproof method for determining which sites are safe and which are not. Unless everything is inspected, there is no real way to know for sure.
So, how can we do this? There are several ways to inspect SSL traffic. The following are some examples of this.
1. Next-gen firewalls
Often known as NGFW, a next gen firewall allows for traffic to be streamed through the firewall creating the perceived level of protection.
2. Proxies
A proxy can be created using a separate connection between the client and the server. This is often considered the ideal solution because of the level of protection it can provide.
3. TAP mode
Another option is TAP mode, which allows traffic to be copied as it flows and then analyzed separately offline. This takes time and may not be ideal for all situations.
It is also important to know how those who are bad actors, or those engaging in less-than-desirable strategies, are able to use methods to intercept traffic.
For example, those who wish to do so can use fake SSL certificates to intercept traffic. It happens more often than most believe. They can also use MiTM SSL attacks, which, as we have shown, can be an effective way of targeting data.
A third option is to use an SSL interception proxy. In this method, the user sets up the proxy to allow for the capturing of data and information that is somehow useful to them, and then tamper with that data to gain access to the system.
Should You Stop SSL Inspections?
Another factor to consider is whether or not you should and can stop malicious SSL inspections and interception. Obviously, as a company or organization that has a significant amount of data to protect, you certainly do not want any holes in your security.
SSL encryption is effective, but it does not offer comprehensive solutions. Encrypted traffic can be intercepted in many ways. In situations where there are some pretty tech-smart people—and those using groundbreaking technology—it will be hard to eliminate any risk.
The best step you can take, then, is to be vigilant. Train your employees not to visit any type of site that could be malicious. That is certainly easier to do than it seems. Having an IT team that is poised and ready to understand and break through such risks is also important.
You can also use inspection solutions that will allow you to protect against malicious SSL encryption attacks. This can be done in multiple ways.
Rayobyte Offers the Proxy Support You Need
Rayobyte provides the proxy support you need. If you need to increase safety and reduce risk for your system, let our team help you. Check out all of our products and what steps you can take to use them.
FAQs
What is SSL packet inspection?
The term SSL packet inspection is the same as SSL inspection in that it means capturing information that is being sent through the client, server, and SSL certificates. In short, SSL packet inspection is a process that intercepts and then reviews the encrypted communication being sent before sending that information back out.
How can you perform an SSL Inspection?
One of the easiest ways to do so is to use an interception proxy that is placed between the client endpoint and the server endpoint. This process can help to decrypt information that is coming in, ensure it is safe to continue on, and then encrypt that information again before it moves forward.
What is SSL scanning?
Another term you may hear is SSL scanning, which refers to the scanning and interception of SSL traffic that is then decrypted, scanned, and analyzed for threats.
The information contained within this article, including information posted by official staff, guest-submitted material, message board postings, or other third-party material is presented solely for the purposes of education and furtherance of the knowledge of the reader. All trademarks used in this publication are hereby acknowledged as the property of their respective owners.
