HTTPS and SSL decryption

As you browse online, you'll notice the modern web runs on encrypted traffic; since the beginning of 2017, over 50% of the web pages loaded by Firefox have been HTTPS sites. 60 to 70% of school traffic is HTTPS. Encrypted traffic is becoming the norm.


This shift has improved security on the internet, but it also created a challenge for schools when it comes to web filtering and monitoring. How do we ensure that students aren't viewing inappropriate content on HTTPS websites? The solution isn't to block all HTTPS traffic, its SSL decryption.

HTTPS and SSL Decryption

Without SSL decryption your ability to filter internet traffic is severely limited, but how does it work? In general, most products will offer one of two options. The first is domain based SSL filtering, which requires no certificate distribution. The second is SSL interception and decryption, which does require a certificate. Most products require you to select one or the other, but Cipafilter can do both simultaneously.

Most products on the market only recently delved into SSL decryption. At one time, many products only sniffed HTTPS traffic, but intercepting and decrypting SSL traffic requires a different approach. One way is to install programs or extensions on the device to filter traffic in the browser, before it is encrypted. These kinds of applications need to run on the local machine and are plagued by their own set of circumvention issues. The other, more secure method for filtering HTTPS is to send that traffic through a proxy server.

SSL Decryption Using SQUID

To do this, most products are based around the same open-source proxy project, SQUID. SQUID does the job, but it's far from perfect. It's inefficient, isn't very flexible, and doesn’t scale well to the demands of a modern network - often being limited to less than 5,000 connections per instance. This has led to a number of issues with some of our competitors, like overloading hardware or the need to purchase multiple expensive units.

Cipafilter and SSL Decryption

Foreseeing these issues, Cipafilter developed our own proxy system to avoid these troubles. This has enabled us to not only create more capable filtering technology, but also to enhance performance. Cipafilter’s custom connection management engine can handle over half a million connections per instance; we can efficiently handle way more traffic than any other product because we're not connection bound.

SSL configuration

Developing our own proxy also allowed us to create great flexibility and customization into our device. Using Cipafilter, you can enable decryption for some users while relying on domain blocking for others. Either by subnet or Group, we can decrypt students only while allow teachers unimpeded internet access. We can also selectively decrypt on a per-site basis, meaning we can decrypt and inspect some sites, while not decrypting sensitive traffic such as banking sites.

Additional Benefits of SSL Decryption with Cipafilter

If you're still wondering if you should decrypt HTTPS pages, here are a few of the benefits you'll get by enabling SSL decryption with Cipafilter:

  • URL level blocking, allowing students access to the school's or teacher's Google Sites page, while blocking other Google Sites pages, like games.

  • Search term reporting, Suspicious Search notifications, and Enhanced Safe Search.

  • Our powerful InSiteTM reports, now with Content Preview for YouTube Videos, enabling you to understand exactly what your students are looking at on your network.

  • Use of Cipafilter's context sensitive filtering engine. Remember, 60-70% of school web traffic is HTTPS, and yet over 75% of schools fail to properly filter that encrypted traffic. Cipafilter blocks the inappropriate content that many products fail to even detect.

  • Added protection against malware. Modern malware hides its actions behind HTTPS. SSL Decryption unmasks this malware, allowing it to be stopped.

These are just some of the benefits that you'll get by enabling SSL decryption with Cipafilter. Want to know more or see it in action? contact us to schedule a webinar, and we'll show you what Cipafilter can do for your school.

Modern browser recommended

This site makes use of modern Web technologies which are not available in the browser you're currently using. Some aspects of the site may appear strange or not function at all. For the best experience, please upgrade your browser or install another modern browser such as Google Chrome or Mozilla Firefox.