Topic 24

TLS Inspection and Proxies

Inspection

Encryption protects users, and it protects attackers too — malware hides its command-and-control and exfiltration inside TLS, invisible to network inspection. Organizations respond with TLS-inspecting proxies that decrypt, inspect, and re-encrypt outbound traffic, which restores visibility but breaks end-to-end encryption and introduces its own risks.

This topic covers forward proxies, TLS interception, and the sharp tradeoff between visibility and the guarantees TLS was supposed to give — so Meridian buys visibility deliberately rather than breaking encryption everywhere by reflex.

The Visibility Gap

Once traffic is TLS-encrypted, an IDS sees only metadata; the payload — including a malware download or a data exfiltration — is opaque. This is the uncomfortable flip side of "encrypt everything": the same protection that keeps users safe from eavesdroppers also blinds defenders to what a compromised host is doing on the wire.

Forward Proxies and Egress Control

Routing outbound traffic through a proxy gives a chokepoint to log, filter by destination, and enforce policy — block known-bad domains, allow-list categories — even without decrypting anything. Filtering by the destination and SNI catches a great deal of command-and-control and exfiltration by where it is going, and it is a far lighter, lower-risk first step than full interception.

TLS Interception, Concretely

Full interception means the proxy terminates the client's TLS, inspects the plaintext, then opens its own TLS to the destination. Clients must trust the proxy's certificate authority, so the organization installs its root on managed devices — which is, precisely, a sanctioned man-in-the-middle. It restores payload visibility, at the cost of becoming the exact thing TLS was designed to prevent.

The Risks of Interception

Interception weakens the security property TLS provides, can silently downgrade cipher or certificate validation if the proxy is sloppy, and concentrates all plaintext at one appliance — a single, enormous target. It also breaks certificate pinning and some applications, and runs into privacy and legal constraints for sensitive categories like health and banking. The sane stance is to start with metadata and egress control, and intercept TLS only for the highest-risk categories, on managed devices, with the proxy secured as a crown-jewel asset.

Metadata Inspection vs Full TLS Interception

Metadata / egress proxy — sees domains (SNI), destinations, and volumes; low risk, no decryption, and it catches a lot of command-and-control and exfiltration by destination.

Full TLS interception — sees the full payload; maximal visibility, but breaks end-to-end encryption, centralizes plaintext, and can weaken security if misconfigured. Start with metadata; intercept only where the risk justifies the cost.

Common Mistakes
  • Deploying TLS interception with a poorly secured proxy that becomes a single point holding all plaintext and a prime target.
  • Interception appliances that validate upstream certificates weakly, silently downgrading the security every client thinks they have.
  • Breaking certificate pinning and critical apps by intercepting everything indiscriminately, then getting whitelisted into irrelevance.
  • Ignoring egress entirely, leaving encrypted command-and-control and exfiltration completely unmonitored.
  • Intercepting sensitive categories — health, banking — with no regard for privacy and legal constraints.
Best Practices
  • Start with an egress proxy for logging and destination and category filtering before considering decryption.
  • If you intercept, secure the proxy as a crown-jewel asset, validate upstream certificates strictly, and scope interception to high-risk categories on managed devices.
  • Respect pinning, privacy, and legal boundaries; exclude sensitive categories from decryption.
  • Combine egress visibility with endpoint detection (Chapter 7) so you are not solely dependent on breaking TLS.
  • Log and alert on egress destinations even where you do not decrypt, since SNI and domain alone catch much C2.
Comparable toolsEgress / proxy Squid · Zscaler · Cloudflare GatewayInspection SSL-inspecting NGFW / SWG · SNI filteringComplement Endpoint detection — Chapter 7

Knowledge Check

Why does universal TLS create a problem for defenders as well as a benefit for users?

  • It hides payloads, so malware's C2 and exfiltration go unseen
  • It makes the network slower for everyone
  • It prevents firewalls from applying any rules
  • It completely stops attackers from using the corporate network at all

What is the lower-risk first step before full TLS interception?

  • An egress proxy that filters by destination and SNI
  • Disabling TLS on all outbound connections
  • Installing the proxy's root CA on every employee's home device
  • Blocking all outbound traffic permanently

What new risk does full TLS interception introduce?

  • Decrypted plaintext concentrates at one high-value target
  • It makes valid TLS certificates completely impossible to issue anywhere
  • It speeds up attackers' exfiltration
  • It removes the need for endpoint detection

You got correct