What is the Difference Between SSL Termination and SSL Passthrough (a.k.a. SSL Offloading)
With the introduction of QuotaGuard Shield on Heroku and on our Direct Service, we’ve had a few questions about the differences between QuotaGuard Static, which uses SSL Termination, and QuotaGuard Shield, which uses SSL Passthrough.
Please use this handy little cheat sheet to learn the differences between the two types of security methods when using our QuotaGuard proxies for your traffic.
Click image for larger view
Only QuotaGuard Shield does not expose sensitive data or require sharing private certificates with third parties, like other Static IP proxies, when using HTTPS or Secure SOCKS.
Exposing sensitive data and sharing private security keys is not HIPAA / PCI compliant and introduces multiple security vulnerabilities – even if you aren’t subject to any outside security requirements.
QuotaGuard Shield uses SSL Passthrough – instead of SSL Termination – to route all traffic securely.
QG Shield safeguards three pieces of sensitive information that other Static IP services leave vulnerable
Private SSL Certs
You never have to share your private keys with a third party, like QuotaGuard. As of 2018, 56% of security incidents stem from 3rd party data compromises.1
Sensitive Infrastructure Metadata
You never expose your source/destination hostnames, open ports, and running/accessible services and applications to malicious actors allowing them to map out your corporate network.
Static IP Proxy Credentials
You never route any IP Proxy credentials unencrypted for hackers to steal and impersonate your traffic through your trusted Static IP’s.
SSL and TLS
Secure Socket Layer (SSL), more recently known as TLS (Transport Layer Security), is the most common security protocol for HTTP traffic that is traversing on the Internet.
SSL/TLS encrypts the communications between a client and a server that allows for secure bi-directional message exchanges.
You can see SSL in action when you look at your website address bar and see the closed lock symbol. Also, when the URL of a website address says “HTTPS,” the “S” indicates that SSL is being used to secure the connection and encrypt the data. Google has been pushing website operators to use SSL for all their websites, even websites that are non-financial or have no sensitive material, to make the web more secure for everyone, so you will likely see this lock symbol on most sites today.
Static IPs with HA+LB for Inbound/Outbound (HTTP/SOCKS5) Encrypted Connections
SSL Termination / SSL Offloading
QuotaGuard Static uses SSL Termination for routing requests between endpoints.
SSL termination (a.k.a. SSL Offloading ) decrypts all HTTPS traffic when it reaches the QuotaGuard proxy server. At this point, routing is executed and the data proceeds to the destination server as plain HTTP traffic.
If your QuotaGuard implementation uses a HTTPS URL for the forwarding URL (as most customers do), then the data between QuotaGuard and the final destination is encrypted as well. However, QuotaGuard does have to decrypt the data, using your security keys, to determine the next hop and then re-encrypt the data before it is sent to the next point.
Inbound/Outbound Static IP's. End-to-End Encryption with ACM - HIPAA Compliant
QuotaGuard Shield uses SSL Passthrough for routing requests between endpoints.
SSL passthrough passes encrypted HTTPS traffic all the way to the backend server without decrypting the traffic on the proxy.
Therefore, traffic passes through the proxy encrypted and the destination server (web application server, database server, etc.) does the decryption process to read the data.
How do I get SSL Passthrough to work for my QuotaGuard Shield Static IP proxy?
To get SSL Passthrough to work with QuotaGuard Shield, do the following :
- Sign up for QuotaGuard Shield either at Heroku or on our Direct site.
- Use the QuotaGuard wizard to configure your domain name and forwarding URL.
- Change your DNS to point to the CNAME record we provide in your account.
- Allow up to an hour for the DNS settings to propagate and you’re done.
Note that you do not have to upload your certificates to QuotaGuard when using QuotaGuard Shield.
Why does QuotaGuard Static use SSL Termination and not SSL Passthrough?
QuotaGuard Static uses SSL Termination because it is generally faster and allows for actions to be performed based on the data.
If there are no concerns regarding the compromise of data passing from the proxy to the destination server, SSL Termination is likely a better solution.