cubro blog headerpic with technical details, icons
  • Home
  • Blog
  • SSL/TLS Decryption - What's the point?

SSL/TLS Decryption - What's the point?

SSL/TLS Decryption - What's the point?

Additional features are typically used in any industry as a means to give a product more apparent value but, of course, for a much higher price.

Example: A base-model car has 5 speakers, but you can upgrade to 8 or even 12 speakers. Did you really need them though? In a car, it is a question of the luxury feeling whether to pay a premium on top.

A network packet broker is a tool, it should do its job well and in the background. Solutions which offer SSL/TLS Decryption can experience significant performance degradation.

 

Myth:

Full visibility on entire traffic including the decrypted traffic. Monitoring tools can see all the traffic and protect your network. The feature provides visibility into encrypted sessions, sending decrypted packets to both inline and out-of-band security tools.

 

Reality:

It is only possible to passively decrypt SSL/TLS traffic when you own the certificate used in a connection and certain SSL/TLS encryption methods are not used (no perfect forward-secrecy).

Alternatively, you can actively decrypt the traffic by being a man-in-the-middle of the traffic, but for this to work there are only few application where this can be used, inside a company/organisation where everybody uses the company's own certificate, typically, on company-owned devices. But this means that the traffic of a private mobile device on the company WLAN cannot be decrypted this way. And thanks to things like certificate pinning (where an application expects a particular certificate for a particular domain and does not accept your) some traffic cannot be decrypted even under otherwise perfect circumstances.

Leave a comment

You are commenting as guest.

always up to date stempel
Newsletter
CONTACT

  • Cubro Network Visibility
  • Ghegastraße 3, 1030 Vienna Austria
  • Tel.:+43 1 29826660
  • Fax: +43 1 2982666399
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.