TLS traffic communicated through gateways is decrypted and inspected.
Topic
Transport Layer Security filtering
Applicable to
all
History
Priority
should
Mar 2022
TLS traffic communicated through gateways is decrypted and inspected.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
Jan 2020
For TLS traffic communicated through internet gateways, either of the following approaches are implemented:
§ a solution that decrypts and inspects all TLS traffic as per content filtering security controls
§ a whitelist of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls.
Security control 0263 was modified to reflect that TLS content passing through an internet gateway is no longer an ‘if’ but the norm.
Dec 2019
If permitting TLS through internet gateways, either of the following approaches is implemented:
§ a solution that decrypts and inspects TLS traffic as per content filtering security controls
§ a whitelist specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked or decrypted and inspected as per content filtering security controls.
2015
Agencies permitting TLS through their gateways should implement either:• a solution that decrypts and inspects the TLS traffic as per content filtering requirements• a whitelist specifying the addresses (uniform resource locators) to which encryptedconnections are permitted, with all other addresses either blocked or decrypted andinspected as per content filtering requirements.
2010
Agencies permitting SSL/TLS through their gateways should implement either:• a solution that decrypts and inspects the SSL/TLS traffic as per content filtering requirements• a whitelist specifying the addresses (uniform resource locators) to which encrypted connectionsare permitted, with all other addresses blocked.
2008
Agencies permitting Secure Sockets Layer/Transport Layer Security (SSL/TLS) through their gateways should implement: a. a solution that decrypts and inspects the SSL/TLS traffic as per the Web content filtering requirements and/or b. a whitelist specifying the external uniform resource locators to which encrypted connections are permitted, with all other addresses blocked.