Skip to content
Log in

SSL inspection (TLS interception)

Definition

A technique in which an intermediary device terminates an incoming TLS session, inspects the decrypted content, then re-encrypts and forwards it using a certificate signed by a CA that the client trusts. Used in enterprise environments to enforce security policy on encrypted traffic. Also called a man-in-the-middle proxy when performed without the endpoint's knowledge.

Related terms

Flow record
A summary record of a network conversation, typically recording source and destination IP addresses and ports, protocol, start time, duration, byte count...
JA3 fingerprint
An MD5 hash computed from selected fields of the TLS Client Hello: the TLS version, cipher suites, extensions, elliptic curves, and elliptic-curve...
Server Name Indication (SNI)
A TLS extension sent in plaintext in the Client Hello message that identifies the hostname the client intends to reach. SNI is...
SSLKEYLOGFILE
A file format, originally implemented in Mozilla Firefox and later adopted by Chrome and other browsers, that logs TLS session keys as...
Traffic fingerprinting
The process of identifying an application, protocol, or user action from statistical properties of an encrypted flow, such as packet size distributions,...

Explained in

  • Encrypted Traffic AnalysisA technique in which an intermediary device terminates an incoming TLS session, inspects the decrypted content, then re-encrypts and forwards it using a certif...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account