TLS/SSL Do Not Decrypt Guidelines

You should not decrypt traffic if doing so is forbidden by:

• Law; for example, some jurisdictions forbid decrypting financial information

• Company policy; for example, your company might forbid decrypting privileged communications

• Privacy regulations

• Traffic that uses certificate pinning (also referred to as TLS/SSL pinning) must remain encrypted to prevent breaking the connection

Encrypted traffic can be allowed or blocked on any decryption rule condition, including, but not limited to:

• Certificate status (for example, expired or invalid certificate)

• Protocol (for example, the nonsecure SSL protocol)

• Network (security zone, IP address, VLAN tag, and so on)

• Exact URL or URL category

• Port

• User group

Limitations of categories in Do Not Decrypt rules

You can optionally choose to include categories in your decryption policies. These categories, also referred to as URL filtering, are updated by the Cisco Talos intelligence group. Updates are based on machine learning and human analysis according to content that is retrievable from the website destination and sometimes from its hosting and registration information. Categorization is not based on the declared company vertical, intent, or security. While we strive to continuously update and improve URL filtering categories, it is not an exact science. Some websites are not categorized at all and it's possible some websites might be improperly categorized.

Avoid overusing categories in do not decrypt rules to avoid decrypting traffic without a reason; for example, the Health and Medicine category includes the WebMD website, which does not threaten patient privacy.

Following is a sample decryption policy that can prevent decryption for websites in the Health and Medicine categories but allows decryption for WebMD and everything else. General information about decryption rules can be found in Guidelines for Using TLS/SSL Decryption.