Back to Blog
Technical

What is SSL Inspection and Why Your School Needs It

A technical explainer on how HTTPS/SSL inspection works in school web filtering, why DNS-only filters fall short, and how to deploy SSL inspection safely.

9 min read

The HTTPS Problem

Over 95% of web traffic is now encrypted with HTTPS. That's great for privacy — but terrible for school web filters that can't see inside encrypted connections.

DNS-only filters (like Cisco Umbrella, CleanBrowsing, or NextDNS) can block entire domains, but they can't see what's happening inside an allowed domain. A student on google.com? DNS says 'allowed.' But are they searching for homework help or searching for 'how to bypass school filter'? DNS can't tell you.

SSL inspection solves this by decrypting, inspecting, and re-encrypting HTTPS traffic in real-time.

How SSL/TLS Inspection Works

SSL inspection (also called HTTPS inspection, TLS inspection, or MITM proxy) works by placing a trusted proxy between the student's device and the internet. Here's the flow:

1. The student's device is configured to route traffic through the proxy (via MDM profile or PAC file). 2. When the student visits an HTTPS site, the proxy establishes its own secure connection to that site. 3. The proxy reads the actual page content, checks it against your filtering policies, and either allows or blocks it. 4. If allowed, the proxy re-encrypts the content with its own certificate and sends it to the student.

For this to work, a trusted CA (Certificate Authority) certificate must be installed on the student's device. This is done automatically through MDM deployment.

What SSL Inspection Catches That DNS Misses

  • Embedded games on Google Sites — DNS allows google.com, but SSL inspection sees the game content on the page

  • AI conversation content — DNS knows they visited chatgpt.com, SSL inspection captures what they typed

  • Search query content — DNS allows google.com, SSL inspection sees they searched for 'how to make a weapon'

  • Social media content — DNS blocks instagram.com, but what about Instagram content embedded in an allowed blog?

  • Proxy/VPN bypass attempts — DNS might not catch a new proxy site, but SSL inspection can detect proxy traffic patterns

KyberGate's Approach

KyberGate uses cloud-based SSL inspection across 8 global proxy regions. Traffic routes through the nearest region for low latency. The CA certificate deploys automatically via MDM profile — no manual device configuration needed.

Is SSL Inspection Safe?

Yes, when implemented correctly. The CA certificate is only trusted on managed school devices — it has no effect on personal devices or other networks. The proxy only inspects traffic routed through it (school devices), not all network traffic.

Important: SSL inspection should NEVER inspect banking, healthcare, or other sensitive domains. KyberGate maintains a bypass list of domains that are always passed through without inspection (Apple services, banking, healthcare portals, etc.).

See KyberGate in action

AI-powered web filtering, student safety monitoring, and classroom management — starting at $5/device/year.

Book a Demo

Chat with KyberGate

We typically respond within a few hours

👋 Hi! Have questions about KyberGate for your school? Drop us a message and we'll get back to you.