Back to Resources
TECHNICAL

HTTPS Inspection: How SSL/TLS Filtering Works

A technical deep-dive on how modern web filters inspect encrypted traffic safely.

9 min read

The HTTPS Challenge

Over 95% of web traffic is now encrypted with HTTPS. Without SSL inspection, web filters can only see the domain name — not the actual content. This means:

Can't distinguish between a Google search for 'biology homework' and 'how to bypass school filter'

Can't detect game content hosted on allowed domains (Google Sites, Replit)

Can't scan for safety keywords in search queries

Can't analyze page content for NSFW images or violence

How MITM Proxy Inspection Works

KyberGate uses a Man-in-the-Middle (MITM) proxy to decrypt, inspect, and re-encrypt HTTPS traffic. Here's the flow:

1

Device connects to proxy

The iPad sends its HTTPS request through the KyberGate proxy (configured via MDM PAC file).

2

Proxy intercepts the TLS handshake

Instead of passing the connection through, the proxy establishes its own TLS connection to the destination server.

3

Proxy generates a certificate

The proxy creates a certificate for the destination domain, signed by the KyberGate CA certificate (pre-installed on the device).

4

Content is decrypted and inspected

The proxy can now read the HTTP content — URLs, search queries, page content, images. It applies filtering rules.

5

Response is re-encrypted

If the content is allowed, it's re-encrypted and forwarded to the device. If blocked, a block page is served instead.

Certificate Trust Chain

For SSL inspection to work without browser warnings, devices must trust the KyberGate CA certificate. This is deployed via your MDM as a trusted root certificate.

🔒 website.com (certificate signed by KyberGate CA)

↑ KyberGate Proxy CA (installed on device via MDM)

↑ Device trust store (managed by Apple / MDM)

What Gets Bypassed

Some traffic should never be inspected. KyberGate automatically bypasses:

Apple services (*.apple.com)
iCloud (*.icloud.com)
App Store updates
MDM enrollment
Certificate validation (OCSP)
Push notifications (*.push.apple.com)
FaceTime & iMessage
Banking/financial sites
Healthcare portals

Privacy Safeguards

SSL inspection is only performed on school-managed devices

Personal devices (BYOD) use DNS-level filtering instead

Password fields are never logged or stored

Inspected content is analyzed in-memory and not persisted

Only metadata (domain, category, action) is logged to our database

All logs are encrypted at rest and in transit

See SSL inspection in action

KyberGate's proxy handles all the complexity. You just deploy the MDM profile.

Start Free Demo

Chat with KyberGate

We typically respond within a few hours

👋 Hi! Have questions about KyberGate for your school? Drop us a message and we'll get back to you.