Inspecting your HTTPS traffic is critical, especially at scale
A lack of SSL inspection can bring down giants. Do you remember the Equifax data breach — the one that compromised the data of millions of people, cost millions of dollars and caused the credit bureau to get its own credit rating downgraded? Yeah, that one. The breach went unaddressed for 76 days because an expired digital certificate caused it to lose the ability to inspect its own traffic.
Had Equifax had that ability, it would’ve noticed that amount of data being exfiltrated by the attackers and could have mitigated the problem much faster — and with much less damage. Instead, the attackers were able to hide in Equifax’s HTTPS traffic and operate undetected.
Now, there are two major lessons to learn from that. The first is that certificate management is critical. Allowing an SSL certificate expiration to occur is one thing; not fixing it for 76 days — which implies you didn’t notice — is downright negligent. That just can’t happen — and it doesn’t with the right certificate management solution.
But that’s not why we’re here. We’re here for the other takeaway: SSL inspection, sometimes called HTTPS inspection, is critical.
What is SSL Inspection?
SSL inspection, in the simplest terms, is decrypting the traffic that’s coming through your site and inspecting it before it actually has a chance to reach the site itself. If that sounds a bit abstract, think of it like a security checkpoint. In most configurations, the encrypted traffic gets all the way to your website before it gets decrypted and, at that point, it’s right at your doorstep. SSL inspection is like putting a security checkpoint at the perimeter, where it can check for any bad actors before they have the chance to reach your doorstep.
The Nitty-Gritty of SSL Inspection
That’s the simple explanation. Now let’s look at it from a technical standpoint. Internet connections are incredibly complicated — it’s not just a 1:1, client-routes-straight-to-the-server type of situation. And for larger websites, a single server isn’t even what powers the site. There may be multiple servers handling multiple functions. For instance, at a certain size, if you’re still using RSA key exchange it’s advisable that you offload all those encryption and decryption functions that occur during the handshake to a dedicated device to free up resources on the application server that actually hosts most of its core functions. The server uses up 15 times more resources during an RSA handshake than the client does.
What Happens with SSL Offloading
This is called SSL offloading. And understanding what that is will help you better understand HTTPS inspection. SSL inspection is a form of SSL offloading. With SSL inspection, you offload the SSL functions to an edge device the decrypts all of the traffic that’s incoming and outgoing so that it can be filtered. There are two options from there:
- SSL Termination
- SSL Bridging
With SSL termination, you terminate the encryption at the edge device and pass the data through to your application server in plaintext. This isn’t ideal because if you have anyone inside your firewall, they can see everything.
The better option is SSL bridging — where you install an additional SSL certificate on the application server (best practice would be to use an OV certificate) and re-encrypt the traffic as it’s passed to the application server. This uses up more resources, but it’s also more secure.
Purchase Sectigo SSL Certificates & Save Up to 89%
We offer the best discount on all types of Sectigo SSL Certificates. It includes Sectigo Wildcard SSL, EV SSL, Multi-Domain SAN/UCC SSL, and Code Signing Certificates.
Why Do I Need to Inspect HTTPS Traffic?
The whole point of HTTPS is anonymity. And that has a lot of benefits but there are also a few drawbacks. One of them is that it’s difficult to distinguish a request made in good faith from a malicious one. Hiding in HTTPS traffic is a great way to amplify distributed denial of service (DDoS) attacks for the aforementioned reason that it’s so expensive on the server-side to perform the handshake.
It would be good to know if a lot of those requests are coming from criminals or hackers so they could be blocked, and you can avoid having your website or server go down. This is a prime example of why organizations use HTTPS inspection.
Beyond that, SSL inspection just gives you better visibility about what’s happening within your network. You can see what information is coming in and, more importantly, what’s going out. It’s also required if you want to use an AI/machine learning security solution, as that’s contingent upon being able to analyze and see trends in traffic patterns.
Advantages of SSL Inspection
- Ability to sniff out malicious requests
- Indicates when large amounts of data leave your network
- Allows for better access management
- Requisite for AI/machine learning security solutions
- Protects against DDoS attacks
- Make it easier to block users and IP addresses
How Do I Get Started with SSL Inspection?
SSL inspection requires actual hardware in most cases. While there are some ways to do it virtually, at scale, it’s going to require dedicate edge devices to handle all the handshakes, decryption and encryption, as well as the filtering responsibilities. This can sometimes be done with a load balancer; other companies sell dedicated devices.
From there, you’re going to need to configure your network to offload those functions to the chosen device in addition to configuring the device to filter how you want. Those are entire topics in and of themselves.
The important thing is to ensure you either have strong protection like firewalls in place to keep intruders out, or you need to re-encrypt the data before sending it along.
SSL inspection CAN hurt your encryption security if you’re not careful. So be careful.