Last Updated on December 3, 2023
SSL Inspection or HTTPS Inspection is the process of intercepting SSL encrypted internet communication between the client and the server. The interception can be done between the server and the client and vice-versa.
We know that SSL encryption helps our crucial data safe. Every bit of data is encrypted, such that data tampering or 3rd party intervention is not possible. However, that is not the case now. SSL can now be used to hide several Malware (Malicious Software), that goes unnoticed when SSL tries to detect it.
That’s where SSL Inspection comes into the picture. SSL Inspection intends to filter out dangerous content, such as malware. This inspection is also called Deep SSL Inspection or Full SSL Inspection. It allows the user to do Web filtering, Email filtering, antivirus scanning, etc.
So, how does this SSL Inspection remove the malware?
Basically, SSL uses an interception device between the server and the client. The interceptor device sits between the server and the client and all the traffic goes through it. When the connection is made to the web server, the interceptor intercepts all the traffic going through, decrypts it and scans it.
Once the scanning is done, then it forms another SSL connection with the client. So, the data is sent to the client via encryption.
Here’s an overview of SSL Inspection:
- First, the interceptor intercepts the traffic coming and decrypts HTTPS sessions between clients and servers.
- Once the traffic has been decrypted, the interceptor inspects the content through antivirus scanning, web filtering, etc.
- Then the interceptor encrypts the traffic and forwards it to the destination, in this case, the web server.
In 2015, there was an incident involving Lenovo PC which was shipped with a preinstalled image advertisement optimizer and it was developed by Superfish. Superfish is a form of adware that can hijack an encrypted Web sessions and open a system up to potential HTTPS man-in-the-middle (MiTM) attacks, which implies that ads will be there in encrypted files.
Now, this allows a 3rd party to intervene and eavesdrop or modify the HTTPS secure communication and the amazing thing is that there will be no browser warning to the user. This mistake was made public and the Windows released an update for Windows Defender, which removed Superfish.
However, this was not the 1st time that the Superfish software was installed. Mozilla Firefox, Apple and Microsoft Windows also expressed their concerns that Superfish was installed on their computers.
Qualified personnel said that Superfish was not directly involved in the incident. A 3rd party was involved behind the scenes. They found a code involved in the incident and it was authorized by the Tech company Komodia. Komodia refers to its HTTPS-decrypting and interception software as an SSL hijacker and has been doing since 2011.
Shortly after the Superfish incident, another piece of SSL interception software named PrivDog, made by Adtrustmedia was also found to be vulnerable. PrivDog is an advertising program that intercepts HTTPS connections and replaces bad advertisements with advertisements approved by Adtrustmedia.
PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. To replace ads on websites protected with HTTPS, PrivDog installs itself-generated root certificate on the system and then runs as a man-in-the-middle proxy.
When users access the secured HTTPS sites, PrivDog hijacks their connections and replaces the legitimate certificates of those sites with new ones, signed by their own, with the locally installed root certificate.
Since the root certificate installed by PrivDog on computers is trusted by browsers, all certificates that chain back to it will also be trusted. This means, the users will think that they’re securely speaking to the websites they accessed, while in the background, PrivDog will decrypt and manipulate their traffic.
This approach used by PrivDog is called Man-in-the-Middle. Not a bad approach by PrivDog, though.
The only difference between PrivDog and Superfish is that Superfish’s mistake was that they used the same certificates across all deployments. But, what PrivDog did was, they copied the self- signed certificate of the user, sign it with their own trusted root certificate thus forcing the browser to accept it.
But, PrivDog’s mistake was that they didn’t validate their certificates. Soon PrivDog was caught and their methods were exposed to the public. However, it was noted that there was nothing wrong with Comodo. PrivDog had ties with Comodo, their security vendor.