Re: The only use for SSL/TLS inspection
There are a couple I can think of off the top of my head and I fully admit number 2 is essentially a bodge job.
1) I can see what sensitive corporate data such as, I dunno, customer database Employee X has uploaded to their HotGmahoo! webmail account and sent to Competitor Y. If I can inspect it I can block it/flag it/report on it. Likewise any other https sites that would otherwise not be visible to corporate web security platforms.
2) PC cert compliance. In a large corporate environment with mixed PC assets in various states of OS/browser version/patch level non-compliance you'll find machines that don't know about a lot of Trusted Root (or intermediary) CAs and supporting that is an utter nightmare, you can't go round several thousand PCs individually installing one or some, to be determined once they can't access a certain site, root certs. What you can do is push out ONE cert, the trusted corporate root CA cert, and stick one signed by that on the SSL/TLS proxy. All PCs now trust the proxy cert and the proxy can decide if the upstream web server cert is valid and allow/block accordingly.