Zero Trust

The politics of TLS/SSL inspection 

Dec 09, 2021
TLS interception

SSL/TLS is a step forward for privacy and security, and the internet has become increasingly secure as a result. While most web traffic is now encrypted, we may never achieve complete encryption (Threatlabz Encrypted Traffic Dashboard is an excellent tool for trend analysis). SSL/TLS encryption is by no means an infallible silver bullet that guarantees security. SSL encryption and SSL inspection are legacy misnomers as SSL 2.0 and 3.0 were deprecated over five years ago. TLS is the successor and has advanced to TLS 1.3 since TLS 1.1 was compromised and deprecated. The technical debt in insecure versions remains present either through necessity or lax management, and hackers can exploit known vulnerabilities on legacy systems for months or even years.

That said, "SSL inspection" has stuck and is regularly referenced in the industry when we now mean "TLS interception," so I'll use the proper term in the spirit of accuracy. TLS interception remains a key tool in the defense-in-depth security of an organization but is not infallible as hackers become more capable. It essentially allows you to scan encrypted traffic, packet by packet, for nefarious payloads and, in theory, provide greater protection and threat visibility. Without TLS interception, you cannot stop what you cannot see. The TLS interception market is growing to meet the challenge of encrypted traffic and looks likely to continue on that trajectory.

Performing this inspection adds massive compute overhead. Breaking encrypted traffic streams and inspecting in near real time then re-encrypting and forwarding is intensive and requires the traffic to traverse a particular point on the network to pass through the appliances doing the inspection. The linear nature of legacy security stacks where traffic may pass through a daisy-chain of various devices further adds latency. Still, that was largely fine (expensive, especially at scale, but fine) when we all worked in offices on a corporate LAN connected by MPLS, but less so when many work from home and the internet is the new corporate network. As the internet becomes increasingly encrypted, identifying malicious traffic in encrypted payloads becomes paramount for proper threat protection. As with most things in IT that require scale and global distribution, the cloud is the obvious place to deliver this. So why would you fight a duel blindfolded?  

Zscaler has disrupted the market with a globally distributed proxy architecture and multi-scan security technologies built in the cloud for modern workflows. Plenty is available about the technical approaches to TLS interception, so my intention isn't to replicate those here, but instead, cover what I call the politics of TLS Interception: globally distributed TLS interception at massive scale exists today, but, despite that, there's still reluctance in many companies about switching it on, and a lot of the objections I've heard are abstract.

The primary purpose of TLS interception is to identify malicious traffic. That said, there's a perception that people will be looking at user traffic to see what users are doing on the internet by inspecting traffic. I don't think many companies have the time, resources, or inclination for that. I've heard arguments that you would have plausible deniability for freedom of information (FOI) requests about how long staff is spending on certain websites by not inspecting traffic. The truth is you can still do this even without SSL inspection. Unions and worker's councils, for example, often don't understand the technologies or purpose of TLS interception and have strong views on how it 'invades' user privacy even though these users have signed the company IT policy. The "we don't trust vendors" argument implies that vendors may peer into traffic using TLS interception. There may be prudence in that, but most companies aren't security companies, so putting faith in trusted security partners may be acceptable. It would be commercial suicide for IT security companies to break that trust. In the case of Zscaler, industry certifications demonstrate diligence.

Historically, IT has implemented TLS interception by passing traffic through inline hardware appliances, which may have contributed to the perception that you either inspect or don't. The truth is that TLS interception doesn't have to be a blunt instrument. It can be granular–certain things can and should be excluded from inspection, for example, healthcare and personal banking data. Users are a primary threat vector to an organization, but threats reside in trusted destinations and applications. If a user wants to work on a corporate device, it should be reasonably detailed in his employer's IT contract on what is and isn't allowed. If he wants to use the internet outside of policy, he can logically use his device and connectivity. But for the threats in trusted locations, companies need the visibility TLS interception affords.

In conclusion, in a climate of increasing security threat, TLS interception is a critical weapon in the armory of companies for protection, and inherent to it is placing trust in vendors like Zscaler that can handle it globally at scale without compromise. Forgoing TLS interception means you essentially trust everything you might connect to on the internet. What could go wrong with that?

What to read next 

ThreatLabz: The State of Encrypted Attacks, 2021

Zero Trust Transformation Tip: Inspect SSL traffic to prevent threats