What is SSL Inspection?

The use of SSL/TLS in HTTPS provides security for web traffic containing sensitive information. While this is valuable for user privacy, it is useful for cybercriminals as well. Malware is increasingly using HTTPS to hide its command and control communications.

 

SSL/TLS is a network protocol designed to provide additional security to other, insecure protocols using encryption. It is commonly used in HTTPS for securing web traffic, but the widespread use of HTTPS by malware makes SSL inspection capabilities an essential component of an organization’s cybersecurity strategy.

NGFW Buyer’s Guide

What is SSL Inspection?

What is HTTPS?

HyperText Transfer Protocol Secure (HTTPS) is what makes the secure web possible. When browsing the web, any webpage that has the lock icon in the address bar is using HTTPS to communicate between the computer requesting the page and the server where it is stored.

HTTP vs HTTPS

HTTPS is a secure version of the basic HTTP protocol. HTTP is designed to enable browsing the web by defining how a client computer and a webserver should talk to one another.

 

The main limitation of HTTP is that it is completely insecure. All traffic carried over HTTP is readable to anyone eavesdropping on it. As the web carries more and more sensitive information (due to ecommerce, online health records, social media, etc.), this places users’ sensitive information at risk.

 

HTTPS uses the Transport Layer Security (TLS) protocol – formerly known as Secure Sockets Layer (SSL) – to add security to HTTP. With SSL/TLS, HTTPS is able to verify the identity of the webserver and encrypt all traffic flowing between the client and the server.

How does HTTPS Work?

HTTPS is implemented as two protocols working together. SSL/TLS is used to create an encrypted connection between the client and the server. Once this is accomplished, HTTP traffic is sent through this tunnel by encrypting it and embedding it in the data section of SSL/TLS packets. At its destination, the other computer decrypts the data and processes it based on the HTTP protocol.

 

For this to be possible, the client and server need to have a shared secret key for encryption. SSL/TLS creates this using a handshake protocol where the client and server agree on the parameters to be used for encryption (algorithm, etc.) and share a secret key using asymmetric or public key cryptography to protect it from eavesdropping.

Benefits of SSL/TLS

Using SSL/TLS makes HTTPS slower and less efficient than HTTP. However, the protocol offers several important benefits as well, including:

 

  • Privacy: HTTPS encrypts a user’s web traffic, ensuring data privacy. With Perfect Forward Secrecy (PFS), it even protects messages from being decrypted if keys are leaked in the future by using random values that are deleted after a session ends.
  • Data Integrity: HTTPS uses message authentication codes (MACs) to ensure that data has not been modified in transit. This protects against both transmission errors and malicious modifications.
  • Authentication: The handshake phase of SSL/TLS uses the webserver’s digital certificate, which verifies the identity of the webserver. HTTPS can also be configured to prove the identity of the client as well.

HTTPS is Not Completely Secure

HTTPS is designed to be a secure alternative to HTTP. However, its security has its limitations, including:

 

  • Protocol Vulnerabilities: The SSL/TLS protocol is undergoing continuous improvements. Many of the updates to the protocol included fixes for previously-discovered vulnerabilities, making installation of these updates essential for security.
  • Fake Websites: The lock icon in HTTPS only guarantees that the webserver has a digital certificate issued for the URL. It does not protect against phishing sites that have been created with a URL similar in name to a trusted domain.
  • SSL/TLS Interception: SSL/TLS verifies that a website’s digital certificate is signed by an authority trusted by the client. If an attacker can create a fake, trusted certificate, they can perform a Man-in-the-Middle (MitM) attack to intercept and read/modify the traffic. With this attack, the attacker creates an SSL/TLS connection with the client, decrypts the traffic to see the packet contents, then encrypts the packet to the webserver. Return packets go through the same process. Users may not notice this is happening, but there are endpoint, browser, and mobile security solutions that can detect and prevent MitM attacks..
  • Encrypted Malicious Content: The encryption offered by HTTPS makes it impossible to inspect the contents of traffic. Malware and phishing sites take advantage of this to evade an organization’s cyber defenses.

The Need for HTTPS Inspection

The use of SSL/TLS in HTTPS provides security for web traffic containing sensitive information. While this is valuable for user privacy, it is useful for cybercriminals as well. Malware is increasingly using HTTPS to hide its command and control communications.

 

SSL/TLS inspection involves performing a MitM-style interception on SSL/TLS connections entering or leaving an organization’s network. This enables the organization to inspect the traffic for malicious content.

Benefits of HTTPS inspection

HTTPS inspection provides several network performance and security benefits, including:

 

  • Improved Application Identification: Decrypting HTTPS traffic enables an organization to better identify the application using the connection and apply application-specific security and routing policies.
  • URL Filtering Enforcement: Inspection of HTTPS traffic enables an organization to block traffic to unsafe or inappropriate websites.
  • Malicious Content Filtering: HTTPS inspection allows cybersecurity solutions to scan for malicious content within HTTPS traffic. Content can be tested in a sandbox and malicious content can be removed from files using Content Disarm and Reconstruction (CDR) technologies.

Performance Impact of HTTPS Inspection

HTTPS inspection requires a next-generation firewall (NGFW) to decrypt a connection, inspect the data that it contains for malicious content, and then encrypt it before forwarding it onto its destination. This can create significant network latency, especially if the NGFW lacks the capacity to perform inspection at line speed.

 

Deploying a scalable security solution is essential to ensuring that an organization can adapt to increasing traffic bandwidth. A hyperscale network solution enables an organization to add more resources to meet demand without purchasing additional dedicated systems.

Best Practices for Network HTTPS Inspection

HTTPS inspection can dramatically improve an organization’s web security. When selecting and deploying an NGFW for HTTPS inspection, implement the following best practices:

 

  • Inbound vs Outbound Inspection: Inbound inspection looks at traffic flowing to the client, while outbound inspection monitors traffic to the server. Inbound inspection can protect internal webservers by applying IPS (Intrusion Prevention System) protections.
  • Respect Legitimate Privacy Concerns: Some types of data are protected under regulations like GDPR, PCI DSS, and HIPAA. The HTTPS inspection rules should be configured to ignore traffic likely to contain these types of sensitive data (i.e. to financial institutions, healthcare organizations, etc.).
  • Recommended Bypass List: HTTPS inspection increases network latency and is unnecessary for certain trusted sites. An NGFW should have the ability to use an updateable bypass list to determine which traffic should not be inspected.
  • Gateway Certificate: Import the gateway certificate so the endpoint browser will trust the security gateway certificate. This is essential for eliminating browser warnings and creating a seamless user experience.

 

An NGFW should support these capabilities in addition to the other core features described in this NGFW buyer’s guide, including:

 

  • User-Friendly Management
  • Threat Prevention
  • Application Inspection and Control
  • Identity-Based Inspection and Control
  • Scalable Performance

 

Check Point’s NGFWs provide high-performance, scalable SSL/TLS inspection capabilities. To see them in action, you’re welcome to request a free demo.

Recommended Resources

×
  Feedback
This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO