What HTTP Inspection Actually Is?
HTTP inspection (often called HTTPS inspection, SSL inspection, or TLS inspection) is essentially corporate-sanctioned man-in-the-middle attacks. Your company intercepts, decrypts, examines, and re-encrypts all your supposedly "secure" web traffic.
Here's what actually happens:
- Certificate substitution: Your company installs its own root certificate on your device
- Traffic interception: All HTTPS requests go through corporate proxy servers first
- Complete decryption: The proxy decrypts ALL your HTTPS traffic - every username, password, credit card number, personal message, medical record, financial transaction
Do I oppose HTTP inspection?
No, absolutely not but the caveat to that is you need honesty, And ironically, back in the days of threat management Gateway (TMG) this was actually supported, but is with many options like this there are legal ramifications - you can clearly see the warning in TMG:
If we also take a look at Cloudflare Zero Trust which I actively use as one of my secure network providers you can see from below without my device, trusting the certificate I can’t connect:
How has your HTTPs inspection been enabled?
If this feature is enabled, and everyone is informed it’s enabled then people are knowingly, advised that data can be intercepted and inspected, however, if this get to enabled in some “Secret squirrel” 🐿️ enablement that’s done out of hours and no one’s advised, then no I don’t think it’s done ethically.
The majority of your users will be blissfully unaware that this option has been enabled, nanny will also look to the padlock icon to confirm site secure - This padlock, unfortunately, is not particularly truthful with this technology enabled.
You are using it, I thought it was bad!
Simple, it’s all about communication. I don’t hide behind a security shield telling people I’m keeping them Secure.
I would also like to add that many applications that help you with web debug diagnostics also HTTPS inspection to look inside the secure traffic, this can only be done using these technologies - However, ironically, if you already have HTTPS inspection enabled on your proxy, you are not able to use these diagnostic tools because you can’t have two of these technologies sitting on top of themselves.
I actually use website debugging tools quite frequently - so yes, I do use this technology regularly, but when I use these technologies, it’s only affecting my traffic not the corporate traffic is a hole.
The Corporate Narrative vs. Reality
This section is quickly focused on responses you will get when you ask why it’s enabled, when you didn’t know it was enabled….
What Your Security Team Tells You:
- "We're protecting you from malicious websites"
- "This prevents data exfiltration"
- "It's necessary for compliance"
- "We don't actually look at your data"
The Technical Reality:
- False sense of security: Many implementations are poorly configured, creating vulnerabilities rather than eliminating them
- Compliance theater: Often implemented to check boxes rather than provide real security
- Everything is logged: Even if humans don't actively monitor, your traffic is typically logged and stored
- Trust erosion: Breaks the fundamental security model of the internet
Mass Application Breakage:
HTTP inspection breaks hundreds of legitimate applications because they implement proper security practices like certificate pinning:
- Mobile banking apps: Most refuse to work when traffic is being intercepted
- Security applications: VPN clients, password managers, 2FA apps often fail
- Enterprise software: Many B2B applications implement certificate pinning
- Healthcare applications: HIPAA-compliant apps often refuse intercepted connections
The exclusion nightmare: IT teams spend countless hours maintaining ever-growing lists of applications that must bypass inspection. This creates a patchwork security model where some traffic is inspected and some isn't, undermining the security benefits while maintaining the privacy invasion for inspected traffic.
The Certificate Authority Deception:
To make this system work, your organization operates as a subordinate Certificate Authority with the technical capability to:
- Forge any website certificate: They can create trusted certificates for google.com, firstdirect.com, or any site
- Override browser security: Your device trusts these forged certificates because of domain group policy
- Impersonate any service: Technically capable of creating fake login pages that appear completely legitimate
Certificate visibility problems:
- No real certificate data: You never see the actual website's certificate - only your company's version
- Impossible monitoring: You cannot monitor for certificate expiry, revocation, or security issues on real websites
- False expiry dates: Corporate certificates often have different expiry dates than the real certificates
- No transparency logs: You lose access to Certificate Transparency data that helps detect fraudulent certificates
The SSH-over-HTTPS Example:
If you take SSH over HTTPS - this is a perfect example of where inspection should theoretically help but often doesn't:
- What should happen: Corporate proxy detects SSH protocol tunneled through HTTPS and blocks it
- What actually happens: Most inspection tools focus on HTTP/HTTPS content analysis, not deep packet inspection of protocols tunneled within the HTTP payload
- The reality: Sophisticated users can tunnel protocols through HTTP/HTTPS in ways that evade detection
The Amazon Illustration
When you shop on Amazon through corporate inspection, your company's logs contain your complete purchase history, browsing patterns, wish lists, shipping addresses, payment methods, and product reviews - exactly as if Amazon were serving their website over unencrypted HTTP.
What This Means for me?
Assume zero privacy: Anything you access through corporate networks are monitored
If you have no privacy on work devices - use them accordingly by only using them for work activities, if you need to do personal tasks on your work laptop, simply don’t get a personal laptop.
Certificate Thumbprint Mismatch
When HTTPS inspection is active, certificate thumbprints will NEVER match the real website's certificate. This breaks certificate verification and creates serious security blind spots.
Real vs. Inspected Certificate
Real Amazon Certificate:
- Thumbprint:
1B:47:17:7F:D6:EA:02:A7:52:4A:B2:FB:06:AE:89:1C:95:38:EA:89 - Issued by: DigiCert Global CA G2
- Valid from: Friday 13 September 2024
- Valid to: Sunday 24 August 2025
- Subject: amazon.com
Corporate Proxy Certificate (What you actually see):
- Thumbprint:
X9:Y8:Z7:W6:V5:U4:T3:S2:R1:Q0:P9:O8:N7:M6:L5:K4:J3:I2:H1:G0 - Issued by: ProxyServer1.bear.local
- Valid from: January 1, 2024
- Valid to: December 31, 2026
- Subject: amazon.com (impersonated)
The Bottom Line
HTTP inspection is often security theater that provides the illusion of protection while creating new vulnerabilities and privacy risks. The corporate narrative rarely matches the technical reality.
While, I understand the requirements for the technology I find it from any organizations it gives a false sense of security that you’re keeping your users secure - when the exact reality may be the opposite.
Before implementing or accepting HTTP inspection, demand honest answers about what problems it actually solves, what new risks it creates, and whether there are better alternatives that don't require breaking the fundamental security model of the internet.