It also responds to the impulse of Google, which favors the natural referencing of HTTPS websites in its search engine and penalizes those that are not.
Unfortunately, the security offered by SSL is also misused in several ways:
- SSL encryption is used to hide dangerous content such as viruses, spyware and other malware.
- Attackers create their own websites with SSL encryption.
- Attackers inject their malicious content into known and trusted SSL sites.
- SSL can be used to hide data leaks, such as the transmission of sensitive financial documents from an organization.
- SSL can be used to mask the browsing of websites belonging to legal liability classes.
When you enable SSL inspection, Artica Proxy establishes a separate SSL tunnel with the user's browser and with the destination server:
- The browser and sends an HTTPS request.
- Artica Proxy intercepts the HTTPS request through a separate SSL tunnel, sends its own HTTPS request to the destination server and conducts its SSL negotiations.
- The destination server sends Artica Proxy its certificate with its public key.
Artica and the destination server complete the SSL handshake.
- Application data and subsequent messages are sent through the SSL tunnel.
- Artica conducts SSL negotiations with the user's browser.
It sends the browser the intermediate self-signed certificate customized for your organization.
- The browser validates the certificate chain in the browser's certificate store.
The most important step to ensure SSL decryption through Artica Proxy is to provide a certificate that will be trusted by your browsers.
This means that you won't save the effort of installing the certificate in all browsers that will use the SSL proxy port
Since you will have to install the certificate in order for it to be trusted, using an official certificate is not necessary and serves no purpose.
A self-signed certificate is more than sufficient.
Compared to a proxy that works without decryption, the impact can be on performance.
Indeed, decryption requires additional CPU and I/O.
If your proxy has just enough capacity to absorb the flow, adding SSL decryption could degrade performance.
- Activate SSL decryption on your Proxy ports
- Tune listen SSL port with TCP Keepalive.
- Activate SSL decryption with SSL rules
- Error page with the SSL certificate
- Install the Proxy certificate on Internet Explorer or Edge and Chrome
- How to deploy the SSL certificate via GPO for Chrome, Edge, Opera ?
- How to deploy the SSL certificate via GPO for Firefox ?