S
SSL Certificate Expiry

What Is SSL Inspection?

How SSL/TLS inspection works, why organizations use it, and the security and privacy trade-offs. Also known as TLS interception or SSL decryption.

SSL inspection is the practice of decrypting encrypted HTTPS traffic, examining its contents, and then re-encrypting it before sending it to its destination. It's a man-in-the-middle approach, but by design -- organizations use it to detect malware, prevent data leaks, and enforce security policies on traffic that would otherwise be invisible.

Also called TLS interception, HTTPS inspection, or SSL decryption, it's a security technique used by enterprises, schools, and government agencies worldwide. Here's how it works, why organizations use it, and the trade-offs you should understand.

How SSL Inspection Works

Under normal HTTPS, your browser establishes a direct encrypted connection with the web server. Nobody in between can read the traffic -- not your ISP, not your network administrator, not anyone.

SSL inspection breaks this model intentionally. Here's the flow:

1

Client initiates HTTPS connection

Your browser or application tries to connect to a website over HTTPS, as usual.

2

Inspection proxy intercepts the connection

Instead of connecting directly to the server, your traffic hits an SSL inspection proxy (a firewall, gateway, or dedicated appliance). This proxy sits between your device and the internet.

3

Proxy connects to the real server

The inspection device establishes its own TLS connection to the destination server, using the real server's certificate. From the server's perspective, it's just a normal client connection.

4

Traffic is decrypted and inspected

The proxy decrypts the traffic from the server, scans it for malware, data loss, policy violations, or other threats, then makes allow/block decisions.

5

Proxy re-encrypts and forwards to client

The proxy creates a new TLS connection to your device, using a certificate generated on the fly and signed by the organization's internal certificate authority (CA). Your browser sees a valid certificate because the organization's CA has been pre-installed as a trusted root on your device.

The result: your browser shows a padlock and thinks everything is secure. The traffic was encrypted in transit. But the inspection proxy saw everything in plaintext for a brief moment during inspection.

Why Organizations Use SSL Inspection

With over 90% of web traffic now encrypted, organizations face a visibility problem. Encryption protects users, but it also protects attackers. Malware, phishing payloads, and data exfiltration can all hide inside encrypted connections.

Malware detection

Encrypted traffic can carry malware that network-based security tools can't inspect without decryption. SSL inspection lets antivirus and IDS/IPS systems scan HTTPS traffic.

Data loss prevention (DLP)

Organizations need to detect sensitive data (credit card numbers, social security numbers, intellectual property) leaving the network, even over encrypted channels.

Compliance enforcement

Regulated industries (finance, healthcare, government) may need to log and inspect all network traffic for audit purposes.

Web filtering

Content filtering and acceptable use policies can't analyze encrypted content without inspection. A URL filter can see the domain but not the specific page or data being accessed.

The Privacy Trade-Off

SSL inspection is controversial for good reason. It fundamentally changes the trust model of HTTPS.

What users lose:

  • End-to-end encryption -- Your traffic is decrypted at the inspection point, creating a location where data exists in plaintext
  • Privacy expectations -- The organization can see everything you're doing over HTTPS, including form submissions, search queries, and personal data
  • Certificate authenticity -- You're no longer seeing the real server's certificate; you're seeing one generated by the inspection proxy

What organizations gain:

  • Visibility into encrypted threats
  • Ability to enforce security policies on all traffic
  • Compliance with regulatory requirements

Most organizations that deploy SSL inspection exclude certain categories from decryption: banking sites, healthcare portals, and other sensitive destinations. But the defaults and exceptions vary widely.

How to tell if your traffic is being inspected

Check the certificate issuer on any HTTPS site. If it shows your company's name or an internal CA instead of a public CA like Let's Encrypt or DigiCert, your traffic is being intercepted and inspected.

Certificate Pinning vs. SSL Inspection

Certificate pinning is a technique where applications hardcode or embed the expected certificate (or its public key) for a specific server. If the certificate doesn't match, the connection is refused.

This directly conflicts with SSL inspection. When the inspection proxy presents its own certificate (signed by the organization's internal CA), pinned applications reject it because it doesn't match the expected certificate.

The result: Applications that use certificate pinning break when SSL inspection is active. This is common with:

  • Mobile banking apps
  • Some messaging apps (Signal, WhatsApp)
  • Custom enterprise applications with embedded certificates
  • IoT devices with hardcoded certificates

Organizations typically handle this by excluding pinned domains from inspection, which creates gaps in their visibility.

Track every certificate in your infrastructure

SSL inspection devices have certificates too. Monitor all of them.

Performance Impact

SSL inspection adds processing overhead because every connection requires two TLS handshakes (one from client to proxy, one from proxy to server) and the computational cost of decryption, inspection, and re-encryption.

What you'll notice:

  • Latency increase -- Typically 1-5 milliseconds per connection for modern hardware. Negligible for most users, but noticeable for latency-sensitive applications
  • Throughput limitations -- The inspection device becomes a bottleneck. If it can't keep up with traffic volume, everything slows down
  • CPU usage -- TLS operations are CPU-intensive. High-traffic networks need dedicated hardware or appliances with TLS acceleration

Modern SSL inspection appliances handle this well, but undersized deployments can create real performance problems. The inspection device needs to handle the aggregate TLS workload of every user on the network.

The Equifax Connection

The most famous example of SSL inspection gone wrong is the Equifax breach of 2017. Equifax had an SSL inspection device monitoring their network for data exfiltration. But the certificate on that device had expired 19 months earlier.

With the certificate expired, the inspection device stopped decrypting traffic. Attackers exfiltrated the personal data of 147 million people through encrypted connections that should have been inspected. The expired certificate created a 19-month blind spot in Equifax's network security.

This incident illustrates a critical point: SSL inspection infrastructure has its own certificates that need monitoring and renewal. An inspection device with an expired certificate is worse than no inspection at all -- it gives a false sense of security.

When SSL Inspection Makes Sense

Good use cases:

  • Enterprise networks with regulatory compliance requirements
  • Organizations in industries targeted by sophisticated malware (finance, defense, healthcare)
  • Networks with strict data loss prevention requirements
  • Environments where web filtering needs to work on HTTPS content

Poor use cases:

  • Small businesses without dedicated security teams to manage the infrastructure
  • Networks where users have strong privacy expectations (guest Wi-Fi, personal devices)
  • Environments where the performance overhead isn't justified by the security benefit
  • Organizations without the resources to properly maintain the inspection infrastructure (including certificate management)

SSL Inspection and Certificate Management

If your organization uses SSL inspection, you have additional certificate management requirements:

  • The inspection proxy's CA certificate must be distributed to all client devices and kept valid
  • The proxy's server certificate (used for the upstream connection) needs renewal like any other certificate
  • Generated certificates need to follow current standards (key size, signature algorithm) to avoid browser warnings
  • Excluded domains need regular review as applications and services change

All of these certificates need monitoring. An expired certificate anywhere in the SSL inspection chain can silently disable your security infrastructure -- as Equifax learned the hard way.

Related Articles

SSL inspection sees everything -- unless its own certificate expires. Then it sees nothing.

Never miss an SSL certificate expiry

Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.