SSL/TLS Inspection and Man-in-the-Browser Attacks
Learn when and how to inspect encrypted HTTPS traffic on security gateways, and explore how browser-based attacks like SSL stripping and malicious extensions work.
Why Inspect Encrypted Traffic?
HTTPS now accounts for more than 90% of web traffic — including malware downloads, C2 channels, and data exfiltration. Perimeter security tools that cannot inspect TLS see only encrypted blobs, creating a blind spot that attackers actively exploit. SSL/TLS inspection (also called SSL interception, SSL bumping, or deep packet inspection for HTTPS) allows security gateways to decrypt, inspect, and re-encrypt HTTPS traffic before it reaches the endpoint. This visibility is essential for web content filtering, DLP, and anti-malware scanning in environments where most traffic is HTTPS.
How SSL/TLS Inspection Works
SSL inspection is technically a controlled man-in-the-middle performed by the organization's own security infrastructure. The process: Step 1: Client establishes TLS to the proxy (using the proxy's certificate signed by the corporate CA). Step 2: Proxy establishes a separate TLS session to the actual server using the server's real certificate. Step 3: Proxy decrypts traffic from the client, inspects it, then re-encrypts and forwards it to the server (and vice versa). The client trusts the proxy's certificate because the corporate CA certificate is pre-installed on all managed endpoints via MDM or Group Policy.
# SSL inspection flow
Client Proxy (SEG) Real Server
| | |
|--TLS ClientHello------>| |
| (proxy cert presented)| |
|<-TLS Established-------|--TLS ClientHello----->|
| |<-TLS Established------|
|--HTTPS Request-------->| |
| |--HTTPS Request------->|
| |<-HTTPS Response-------|
| (inspect, DLP, AV) | |
|<-HTTPS Response--------| |
| | |All lessons in this course
- Email Authentication: SPF, DKIM, and DMARC
- Secure Email Gateways and Anti-Spam Controls
- Web Content Filtering and DNS Sinkholes
- SSL/TLS Inspection and Man-in-the-Browser Attacks