Passive, Transparent, and Selective TLS Decryption for Network Security Monitoring

More and more Internet traffic is encrypted. While this protects the confidentiality integrity of communication, it prevents network monitoring systems (NMS) from effectively analyzing now encrypted payloads. Many enterprise networks have deployed man-in-the-middle (MitM) proxies that intercept TLS connections at border to examine packet payloads regain visibility. However, interception via MitM often reduces connection security potentially introduces additional attack vectors. In paper, we present a cooperative approach in which endpoints selectively send keys NMS for decrypting connections. This enables hosts control an can decrypt lets users retain privacy chosen We implement prototype based on Zeek able receive key material hosts, connections, analyze cleartext. Meanwhile, our patch was merged into upstream will be part v4.3.0. evaluation, initially compare deduce significantly computational overhead. Furthermore, experimental results real-world indicate decryption adds runtime overhead 2.5 times compared analysis Additionally, when buffering only short amounts time NMS, all arrive completely 99,99% observed