SSL Inspection, is it time yet?

I was at Black Hat in Las Vegas last week, and once again, one of the top questions I heard around web security was when and how does an organization start doing SSL inspection on web traffic.  It's a tough issue for most organizations and many until now have chosen just to ignore it by bypassing SSL traffic and leaving it uninspected.

But it's getting harder for organizations to ignore that SSL traffic now that many common websites allow users to stay completely encrypted when using that site.  This is true for Twitter, Facebook, Gmail, and other popular websites.  Encryption lets malware through to the organization and also allows users to unintentionally (or intentionally) send out company confidential information to the internet.

The reason that organizations don't have a higher rate of SSL inspection already is that it's not an easy task to get it implemented through out the organization.  First SSL inspection means breaking the SSL connection using an SSL proxy, essentially a man in the middle.  The difficulty here is of course the SSL certificate presented back to the user won't be the one from the site they're trying to connect to.  That means training the user to understand the certificate presented by the proxy is valid and to accept the warnings from the browser, or alternatively push out the certificate to all the systems in the organization so it's automatically accepted.

Then there's the fine line of determining what can be intercepted and what can't within the realms of the organizations policies around privacy.  A decent web security gateway will let you set policy so that all SSL is intercepted except for say financial sites, where privacy may dictate letting those sites be bypassed.  In addition, policy may differ by user or group, and perhaps there's different inspection even no inspection for certain users.

No matter what policy is actually implemented, it's not hard to see the writing on the wall, SSL inspection is coming to a web security gateway near you.