Inspecting traffic can help organizations detect malware, but the security risks of HTTPS inspection necessitate careful consideration.
HTTPS inspection is the process of checking encrypted web traffic by using the same technique as an on-path attack on the network connection. This is a feature of some corporate networking devices, firewalls, and threat management products.
An organization may wish to inspect HTTPS traffic to look for malware, identify data exfiltration attempts, and block access to specific websites. Malware poses a security concern because it can paralyze business operations, steal data, or make files inaccessible.
HTTPS inspection goes by many names, including SSL inspection, TLS inspection, TLS break and inspect, and HTTPS interception.
When an organization uses HTTPS inspection to protect themselves from malware, they employ a product that sets up two separate encrypted connections and impersonates both the client and the server. The product searches for malicious threats to block, all without letting the client know that there is not one end-to-end, validated connection.
As an example, imagine a student is passing a note to a friend in class without realizing that the person sitting between them can read the message’s contents. In this scenario, the sender believes that the note is sealed in transit, without realizing it can be opened and closed without any obvious signs. HTTPS inspection differs from this example in one important way, however — the sender is unaware of even the presence of an intermediary.
Normally when a website uses TLS, the client device (a user's computer or smartphone) connects directly to the website's host server and sets up an encrypted connection. Once the encrypted connection is established, traffic between the client and server is completely encrypted, and no one in the middle can view the traffic.
During HTTPS inspection, the product sets up two SSL connections — one to the server and one to the client. From the client’s perspective, it is connecting directly to the server with no intermediary. The traffic is instead redirected to the inspection product, which is impersonating the website. It has the ability to view, alter, and block the content.
In earlier days of the Internet, traffic was sent over HTTP in plaintext. This means nothing was encrypted, and if someone intercepted traffic, all of its data was exposed.
With HTTPS — the secure version of HTTP — traffic is encrypted. The client and server go through a process of back-and-forth communications to establish a secure connection.
HTTPS protects Internet traffic from being monitored by unauthorized parties. However, it can also help bad actors hide their tracks. HTTPS encrypts and obscures every kind of data, whether it is a person’s banking data or malware from an attacker.
A browser’s padlock icon for an HTTPS connection signifies that the data going between a user and a server is encrypted, not that everything about the website is guaranteed to be secured from attacks or snooping. A website run by a trusted company, such as a financial institution, could have a security flaw and unknowingly pose a threat to users. Alternatively, an attacker could set up a malicious website that appears to be safe because it has an SSL certificate and encrypts traffic.
If done incorrectly, HTTPS inspection can create security vulnerabilities. For normal, uninspected traffic, a browser can validate the connection end-to-end — verifying that the certificate is valid ensures that the client is communicating with the server that owns the domain.
By interrupting this process, inspection can introduce several problems if adequate care is not taken:
HTTPS inspection provides:
There is no single widely accepted method for combating malware hidden in HTTPS traffic. Some measures that can help include:
Learn how Cloudflare Gateway blocks malware and other risks while providing near real-time monitoring of traffic.