What is HTTPS inspection?

Inspecting traffic can help organizations detect malware, but the security risks of HTTPS inspection necessitate careful consideration.

Learning Objectives

After reading this article you will be able to:

  • Describe how HTTPS inspection works
  • Explain how attackers use HTTPS to disguise their activity
  • Understand alternatives for mitigating the risk of attack

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is HTTPS inspection?

HTTPS inspection is the process of checking encrypted web traffic by using the same technique as an on-path attack on the network connection. This is a feature of some corporate networking devices, firewalls, and threat management products.

An organization may wish to inspect HTTPS traffic to look for malware, identify data exfiltration attempts, and block access to specific websites. Malware poses a security concern because it can paralyze business operations, steal data, or make files inaccessible.

HTTPS inspection goes by many names, including SSL inspection, TLS inspection, TLS break and inspect, and HTTPS interception.

How does HTTPS inspection work?

When an organization uses HTTPS inspection to protect themselves from malware, they employ a product that sets up two separate encrypted connections and impersonates both the client and the server. The product searches for malicious threats to block, all without letting the client know that there is not one end-to-end, validated connection.

As an example, imagine a student is passing a note to a friend in class without realizing that the person sitting between them can read the message’s contents. In this scenario, the sender believes that the note is sealed in transit, without realizing it can be opened and closed without any obvious signs. HTTPS inspection differs from this example in one important way, however — the sender is unaware of even the presence of an intermediary.

Normally when a website uses TLS, the client device (a user's computer or smartphone) connects directly to the website's host server and sets up an encrypted connection. Once the encrypted connection is established, traffic between the client and server is completely encrypted, and no one in the middle can view the traffic.

During HTTPS inspection, the product sets up two SSL connections — one to the server and one to the client. From the client’s perspective, it is connecting directly to the server with no intermediary. The traffic is instead redirected to the inspection product, which is impersonating the website. It has the ability to view, alter, and block the content.

How can secure traffic deliver malware?

In earlier days of the Internet, traffic was sent over HTTP in plaintext. This means nothing was encrypted, and if someone intercepted traffic, all of its data was exposed.

With HTTPS — the secure version of HTTP — traffic is encrypted. The client and server go through a process of back-and-forth communications to establish a secure connection.

HTTPS protects Internet traffic from being monitored by unauthorized parties. However, it can also help bad actors hide their tracks. HTTPS encrypts and obscures every kind of data, whether it is a person’s banking data or malware from an attacker.

A browser’s padlock icon for an HTTPS connection signifies that the data going between a user and a server is encrypted, not that everything about the website is guaranteed to be secured from attacks or snooping. A website run by a trusted company, such as a financial institution, could have a security flaw and unknowingly pose a threat to users. Alternatively, an attacker could set up a malicious website that appears to be safe because it has an SSL certificate and encrypts traffic.

What are the risks of HTTPS inspection?

If done incorrectly, HTTPS inspection can create security vulnerabilities. For normal, uninspected traffic, a browser can validate the connection end-to-end — verifying that the certificate is valid ensures that the client is communicating with the server that owns the domain.

By interrupting this process, inspection can introduce several problems if adequate care is not taken:

  • The post-inspection encryption may be less secure, particularly if the inspection product does not use current cryptographic standards
  • Some inspection products do not correctly validate certificate chains, which increases the chance of a separate on-path attack from a criminal
  • While browsers are updated frequently and automatically to address new security issues, the inspection product might lag behind security best practices, such as support for the latest version of the transport layer security (TLS) protocol

What are the benefits of HTTPS inspection?

HTTPS inspection provides:

  • Greater visibility into network traffic and potential risks
  • A higher chance of blocking malicious attacks on an organization's network
  • An increased ability to enforce company security policies

What are the alternatives to HTTPS inspection?

There is no single widely accepted method for combating malware hidden in HTTPS traffic. Some measures that can help include:

  • Using firewalls that inspect security certificates without breaking encryption to identify suspicious behavior
  • Addressing risks stemming from employees at the source, such as by limiting their ability to download unapproved software and improving endpoint monitoring
  • Fine-tuning deep packet inspection rules within a firewall
  • Employing DNS filtering and a secure web gateway to block connections with unsecure websites or servers
  • Using browser isolation to confine browsing activity to a secured environment and keep unsecure code from executing inside the network

Learn how Cloudflare Gateway blocks malware and other risks while providing near real-time monitoring of traffic.