TLS/SSL Inspection (Decryption)

Overview

If your company employs a network security solution that decrypts TLS traffic, it is important to understand the implications for ScreenMeet’s functionality and security.

Recommended Configuration

To ensure seamless operation of ScreenMeet services, we recommend adding an exception for traffic to and from *.screenmeet.com. This will help avoid potential warnings or connectivity issues caused by TLS/SSL inspection.

Impact of TLS/SSL Inspection

1. Certificate Pinning: ScreenMeet’s client software uses certificate pinning for enhanced security. If TLS inspection is active, users will generally encounter a warning that the session is “not secure” when attempting to connect to a session. This warning is designed to protect against potential man-in-the-middle (MITM) attacks but may appear as a false positive in environments with TLS inspection enabled.

2. ScreenMeet Beam (Unattended): The Beam (unattended) feature will NOT connect if TLS inspection is enabled on your network. This is an intentional implementation to reinforce connection security.

Warning Example

Users may encounter a warning like the one shown below:

WARNING: The connection to the support server may not be secure because of an SSL certificate mismatch. If you are connected via a VPN, your traffic might be monitored. Certificate Issuer: CN=[Your Organization’s Root CA]. Are you sure you wish to continue?

This functionality is intended to protect users from MITM attacks, where a malicious party intercepts and alters encrypted communication. In environments where TLS inspection is used, this warning may appear as a false positive due to the security solution’s custom certificate.

Tools that Perform TLS/SSL Inspection

Common tools that implement TLS/SSL inspection include:

• Zscaler (Configuring SSL Inspection Policy)

• Blue Coat ProxySG

• Cisco Umbrella (Enable SSL Decryption)

• Palo Alto Networks NGFW (Configure SSL Inbound Inspection)

• Fortinet FortiGate (Certificates - FortiGate Administration Guide)

These tools are typically part of enterprise-grade network security solutions designed to monitor encrypted traffic, enforce compliance, and prevent data exfiltration.

Reasons for Implementation

Companies implement TLS/SSL inspection to:

• Enhance Security: Identify and block malicious content hidden in encrypted traffic.

• Data Loss Prevention: Protect sensitive data from being sent to unauthorized external servers.

• Compliance: Meet regulatory and legal requirements for monitoring and securing data transmission.

• Threat Management: Protect against evolving cyber threats and ensure network safety.

Action Items

• Add Exceptions: Configure your network security solution to bypass TLS/SSL inspection for the following domain:

  • *.screenmeet.com

• Communicate to Teams: Inform IT and security teams about these requirements to prevent unnecessary disruptions.

Additional Notes

While basic ScreenMeet functionality may still work under TLS inspection, it is strongly advised to follow the recommended configuration to avoid security warnings and ensure full compatibility with all ScreenMeet features.

For further assistance or questions, please contact ScreenMeet support.