LOGBOOK

HELP

1 / 25
Other keys: showSpace: good1-4: rate0: skip5: flag6: invert

Question

What is TLS Decryption (SSL Forward Proxy) on a firewall, and why is it useful?

Answer

TLS Decryption is a "controlled MITM": the firewall terminates the client's TLS session, inspects the plaintext, then re-encrypts to the real server.

Firewall terminates the client TLS with a forged cert, opens its own TLS to the server, decrypts and re-encrypts.

* SSL Forward Proxy as a controlled MITM: decrypt-inspect-re-encrypt. *

Without it, the firewall sees only encrypted bytes for HTTPS traffic — it cannot do URL filtering, malware scanning, or content inspection on encrypted payloads. With SSL Forward Proxy, the FW becomes the man-in-the-middle on purpose.

How it works:

  1. Client requests https://example.com.
  2. Firewall intercepts, presents its own certificate to the client (signed by a CA the client trusts).
  3. Firewall opens a separate TLS session to the real server.
  4. FW decrypts → inspects → re-encrypts in both directions.

Why "controlled MITM":

  • An attacker doing this would be malicious — but here, the organization owns the FW and installed its CA on every client device, so the client trusts it.
  • Same cryptographic technique as a real attack — only the trust relationship makes it legitimate.

Tip: SSL Forward Proxy = legal MITM. Same break-and-inspect mechanism as mitmproxy/Burp Suite, just at the perimeter.

Go deeper:

Incoming HTTPS traffic gets decrypted and forwarded to a web service in the private network.
Incoming HTTPS traffic gets decrypted and forwarded to a web service in the private network.
Galgalesh · CC BY-SA 4.0 · Wikimedia Commons
or press any other key