Every vendor datasheet still says “SSL inspection” somewhere. A few paragraphs down, the same document says “TLS 1.3 decryption.” They mean the same thing, mostly, and also not exactly. The sloppiness costs buyers real money at renewal time.
This post is a terminology map. By the end you will know which protocol a vendor actually decrypts, where the naming diverged, and which questions to ask before you sign.
Why the Names Still Get Mixed Up
SSL stands for Secure Sockets Layer. The last SSL version shipped in 1996 and was deprecated by 2015. TLS, Transport Layer Security, replaced it. Every modern handshake is TLS. Nobody has been inspecting real SSL traffic for a decade.
The word stuck anyway. Network vendors trained a generation of buyers on “SSL inspection” and kept the phrase in their UI. When TLS 1.2 and then 1.3 arrived, the marketing never caught up. Today “SSL inspection” is a colloquialism for “decrypt encrypted web traffic,” regardless of protocol version. “TLS inspection” is the same thing, named correctly.
The short answer: if a 2026 product says SSL inspection, assume they mean TLS. If they cannot tell you which TLS version they handle, keep asking.
What Each Protocol Actually Does in 2026
The protocols look alike from ten feet away and behave very differently at the wire. The differences matter when you are choosing a secure web gateway.
SSL 3.0 and Earlier
Deprecated. Any product that still claims to inspect SSL 3.0 is either misnamed or handling legacy industrial traffic. Assume zero real-world use outside of niche OT networks.
TLS 1.0 and 1.1
Also deprecated. Both browsers and major SaaS providers dropped support in 2020 and 2021. An inspection product that still relies on these versions for easier MITM is downgrading your security posture, not protecting it.
TLS 1.2
The workhorse protocol for most of the last decade. Widely supported, well understood, and straightforward to inspect. If a vendor handles TLS 1.2 cleanly, that is table stakes, not a differentiator.
TLS 1.3
The current default. Key exchange is encrypted earlier, session resumption is tighter, and the old tricks cloud proxies used to “see” inside TLS 1.2 no longer work. Inspection is still possible with a trusted root certificate on the endpoint, but the architecture has to be right. A proper secure web gateway handles TLS 1.3 with no downgrade and no protocol gymnastics.
QUIC and HTTP/3
QUIC rides on UDP, carries TLS 1.3 inside it, and is now standard for YouTube, Google Search, and a growing list of apps. Inspection requires either native QUIC support or a policy that forces fallback to TCP. Forcing fallback hurts performance; doing it right is harder.
Inspection Capabilities by Protocol
Use this table to grade vendor claims. Anything less than full TLS 1.3 and QUIC support in 2026 is a product gap, not a feature choice.
| Protocol | Status | Inspection Method | What to Ask |
|---|---|---|---|
| SSL 3.0 | Deprecated | Not applicable | Why is this still in your UI? |
| TLS 1.0 / 1.1 | Deprecated | Legacy MITM | Are you downgrading to inspect? |
| TLS 1.2 | Supported | Standard MITM with root cert | Expected baseline |
| TLS 1.3 | Standard in 2026 | Endpoint or proxy MITM, no downgrade | Do you preserve the handshake? |
| QUIC / HTTP/3 | Growing | Native inspection or blocked fallback | What happens to HTTP/3 traffic? |
A vendor who says “SSL inspection” and cannot describe their QUIC handling is selling a 2018 product with a 2026 price tag.
Buyer’s Checklist: What to Ask Your SWG Vendor
Five questions separate serious products from legacy ones.
1. Which TLS Versions Do You Decrypt Natively?
The answer should be 1.2 and 1.3 with no caveats. If the vendor needs a “TLS 1.3 mode” toggle, they are still catching up.
2. Do You Support QUIC, or Block It?
Blocking QUIC is acceptable if you know about it. Silently breaking HTTP/3 without telling admins is not. Ask for the default behavior and the policy knob.
3. Where Does the MITM Actually Happen?
Endpoint-based MITM preserves the native connection. Cloud-based MITM adds a detour. Neither is wrong, but the performance tradeoff is different and the vendor should be willing to explain it.
4. Do You Downgrade HTTP/2 or TLS 1.3 Features?
Some proxies force HTTP/1.1 or disable session resumption to simplify inspection. The result is slower page loads and broken connection reuse. Ask for a packet capture during the pilot.
5. How Do You Handle Certificate Pinning?
Apps that pin certificates break under inspection unless the product has a managed exception list or a mobile profile that accepts the inspection root. An honest swg vendor maintains this list and publishes changes.
The Practical Takeaway
The SSL vs TLS naming gap does not matter inside a single sentence. It matters when the sentence implies the product only handles old protocols. Ask the version question directly, make the vendor demo TLS 1.3 and QUIC in the pilot, and judge the datasheet against the demo.
Buyers who run this checklist catch two failure modes: products that downgrade to inspect, and products that silently block modern protocols. Either one is a reason to keep looking.
FAQ
What is the difference between SSL and TLS inspection?
There is no functional difference in 2026. SSL inspection is an older name for the same process TLS inspection describes. Real SSL protocols have been deprecated for a decade, so every active inspection product is actually handling TLS. The naming is historical, not technical.
What does SSL stand for?
SSL stands for Secure Sockets Layer, the original encryption protocol for web traffic released by Netscape in the mid-1990s. It was replaced by TLS, Transport Layer Security, in 1999. Modern products that say SSL usually mean TLS and use the older term for familiarity.
Is TLS inspection the same as decryption?
It is decryption plus re-encryption. The inspection engine terminates the TLS session, reads the plaintext for policy or threat checks, then opens a new TLS session to the destination. Endpoint-first products like dope.security do this on the device so there is no extra network hop.
Does TLS 1.3 prevent inspection?
No, but it does prevent passive inspection. You still need a trusted root certificate on the endpoint to perform MITM with TLS 1.3. What TLS 1.3 eliminates is the ability to inspect traffic without the user’s device agreeing to the interception, which is how it should work.