SSL Bumping and SSL Splicing are techniques used by security devices, such as proxies or firewalls, to manage SSL/TLS traffic. While SSL Bumping refers to the broader concept of intercepting and possibly decrypting SSL traffic, SSL Splicing is a specific technique within the SSL Bumping methodology. SSL Bumping requires user acceptance and breaks end-to-end encryption, whereas SSL Splicing maintains encryption and does not require user intervention.
SSL Bumping: Full Interception and Decryption
In SSL Bumping, the proxy server generates a temporary SSL certificate for the target website. This technique involves full decryption and inspection of traffic, which provides deep security analysis but at the cost of performance and privacy. A company wants to inspect all web traffic for malware, data leaks, and policy compliance. They deploy a proxy server configured to perform SSL Bumping.
Primarily used for inspecting encrypted traffic, such as in corporate firewalls or parental control software.
Technique used:
- Temporary SSL Certificate: Generated by the proxy server to intercept the connection.
- Man-in-the-Middle (MitM): The proxy server acts as a MitM, intercepting and decrypting the traffic.
- Encryption Key Exchange: The client and proxy server exchange encryption keys, enabling decryption.
SSL Splicing: Selective Interception Without Decryption
SSL Splicing does not generate a temporary certificate. This method is less intrusive, as it only inspects the initial handshake and does not decrypt the content, making it more efficient and privacy-friendly but with limited security enforcement. A company wants to optimize network performance by avoiding the decryption process for certain types of traffic, while still enforcing some level of security.
Primarily used for content filtering, such as blocking specific websites or categories.
Technique used:
- SSL/TLS Session Key Extraction: Extracting session keys from the SSL/TLS handshake.
- Data Stream Inspection: Inspecting the decrypted data stream in real-time.
