/ What Is SSL Decryption?
What Is SSL Decryption?
Why Is SSL Decryption Important?
With the growing popularity of the cloud and SaaS apps, it’s become more likely that a given file or string of data will traverse the internet at some point. If that data is confidential or sensitive, it could be a target. Encryption, therefore, is essential to keeping people and data safe. That’s why most browsers, websites, and cloud apps today encrypt outgoing data as well as exchange that data over encrypted connections.
Of course, it works both ways—if sensitive data can use encryption to hide, then threats can, too. This makes effective SSL decryption equally essential as it enables an organization to fully inspect the contents of decrypted traffic before either blocking it or re-encrypting it so that it can continue on its way.
SSL vs. TLS
Time for a disambiguation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that govern encryption and transmission of data between two points. So, what’s the difference?
The now-defunct Netscape developed SSL in the 1990s, releasing SSL 3.0 in late 1996. TLS 1.0, based on an improved version of SSL 3.0, came about in 1999. TLS 1.3, released by the Internet Engineering Task Force (IETF) in 2018, is the most recent and secure version as of this writing. Today, SSL is no longer developed or supported—by 2015, the IETF had declared all versions of SSL deprecated due to vulnerabilities (e.g., to man in the middle attacks) and lack of critical security features.
Despite this and decades of change, outside of a strictly technical sense, most people still say “SSL” as a catch-all for cryptographic protocols. In other words, when you see SSL, TLS, SSL/TLS, HTTPS, and so on, they all mean the same thing most of the time. For the purposes of this article, we’ll clarify as needed.
Benefits of SSL Decryption
Implementing SSL decryption and inspection helps today’s organizations keep their end users, customers, and data safe, with the ability to:
- Prevent data breaches by finding hidden malware and stopping hackers from sneaking past defenses
- See and understand what employees are sending outside of the organization, intentionally or accidentally
- Meet regulatory compliance requirements, ensuring employees aren’t putting confidential data at risk
- Support a multilayered defense strategy that keeps the entire organization secure
The Need for SSL Decryption
Despite increased encryption usage, many organizations still inspect only some of their SSL/TLS traffic, allowing traffic from content delivery networks (CDNs) and certain “trusted” sites to go uninspected. This can be risky because:
- Webpages can change easily. Some draw from multiple sources to display hundreds of objects, each of which should be considered untrusted, no matter its source.
- Malware authors often use encryption to hide their exploits. With more than 100 certificate authorities around the globe today, it’s easy and inexpensive to obtain a valid SSL certificate.
- Most traffic is encrypted. At any given time, around 70% of traffic the Zscaler Cloud processes is encrypted, accentuating the importance of being able to decrypt SSL traffic.
So, why doesn’t everybody do it? Simply, it takes a lot of computation to decrypt, inspect, and re-encrypt SSL traffic, and without the right technology, it can devastate your network’s performance. Most companies can’t afford to grind business and workflows to a halt, so they have no choice but to bypass inspection by appliances that can’t keep up with the processing demands.
How SSL Decryption Works
There are a few different approaches to SSL decryption and inspection. Let’s look at the most common ones and key considerations for each.
SSL Decryption Best Practices
The need to implement an SSL decryption and inspection function to protect your organization has become too great to ignore. Even so, there are important things to consider—some more technical than others—as you deploy SSL inspection:
- Start with a small location or test lab to ensure your team understands the feature, and that it works as intended, before enabling it more broadly.
- To reduce troubleshooting, consider updating your end user notifications to inform users of the new SSL inspection policy.
- (Optional) When defining SSL inspection policy, create a list of URLs and URL categories as well as cloud apps and cloud app categories for which SSL transactions will not be decrypted.
- At first, only enable inspection for risky categories—adult content and gambling, for instance, or those that pose privacy or liability risks. Then, when ready, enable inspection for all URL categories except finance and health to allay privacy concerns.
- Take note of applications your organization uses that leverage certificate pinning, where the application will accept only one specific client certificate. These apps might not work with SSL inspection, so you’ll need to include them in the list of what not to decrypt.
- Enable user authentication to allow your SSL inspection service to apply user policies.
What About the Privacy Implications of SSL Inspection?
SSL decryption and inspection can drastically improve your security hygiene, but it might not be as simple as decrypting everything. Depending on your industry, region, and the laws and regulations you’re subject to, you may deal with certain traffic that shouldn’t be decrypted, such as medical or financial data. In this case, you’ll need to configure filters and policies to keep these types of connections private.
Outside of legal and regulatory concerns, your organization should generally inspect as much SSL traffic as possible to reduce risk and keep your users and data safe.
Zscaler and SSL Decryption
The Zscaler Zero Trust Exchange™ platform enables complete SSL inspection at scale without latency or capacity limitations. By pairing SSL inspection with our complete security stack as a cloud service, you get superior protection without the constraints of appliances.
Unlimited Capacity
Inspect all your users’ SSL traffic, on or off network, with a service that elastically scales to meet your traffic demands.
Leaner Administration
Stop managing certificates individually across all gateways. Certificates uploaded to the Zscaler Cloud are immediately available in 150+ Zscaler data centers worldwide.
Granular Policy Control
Ensure compliance with the flexibility to exclude encrypted user traffic for sensitive website categories such as healthcare or banking.
Safety and Security
Stay covered with support for the latest AES/GCM and DHE cipher suites for perfect forward secrecy. User data is never stored in the cloud.
Simplified Certificate Management
Use our certificates or bring your own. Use our API to easily rotate your certificates as often as needed.