The strategy for decrypting outbound traffic requires a somewhat more detailed understanding of PKI. Look back again at the Encryption 101 section above. I intentionally skipped an important detail right after Step 2 to keep it simple. What really happens after the server sends its certificate to the browser, before going any further, the browser decides whether or not it trusts the certificate. It makes this decision based on who signed the certificate. An entity that signs certificates is called a certificate authority, and computer browsers come pre-loaded with a list of trusted certificate authorities. Any website certificate signed by a certificate authority that the browser trusts will also be trusted. We can exploit this behavior to decrypt outbound traffic like this:
- Make the decryption device a certificate authority, giving it the ability to sign certificates
- Configure the users' browser to trust the new certificate authority
- Place the decryption device inline between the users and the Internet
MOXIE MARLINSPIKE WEIGHS IN: The SSL certificate industry can and should be replaced
Do you see where we are going with this? When a user browses to an encrypted website, the encryption device intercepts the request, generates a new certificate on the fly pretending to be the Web server, signs it, and sends it to the user. And because the user's browser is configured to trust certificates signed by the decryption device certificate authority, it will have no idea that it had the wool pulled over its eyes and continue establishing the encrypted connection. The decryption device then establishes its own connection to the actual Web server and transparently proxies all requests between the user and the server.
Not all of the decryption methods described above are appropriate for every scenario. You'll have to analyze your architecture to determine which solution works for your environment. Many vendors produce decryption-capable systems and I recommend you take a look at the strengths and weaknesses of several before deciding which to deploy. Be sure you understand the limitations of each and test in a lab or pilot environment before a production deployment.
With the right tools in the right place, you can take a peek inside your traffic and see what's lurking inside.