By default, the Web Security Service (WSS) does not intercept HTTPS traffic from destination websites, but WSS applies Content Filtering policy to the furthest extent possible.
WSS, however, cannot apply policies to transactions that require deeper inspection (such as blocked categories, web application controls, or malware scanning) without decrypting that SSL/HTTPS content.
Enabling SSL Interception allows WSS to decrypt HTTPS connections, examine the contents and perform policy checks.
NOTE: If SSL Interception is not enabled, some encrypted web traffic is still filtered because due to the WSS "intercept on exception" feature.
This article describes possible scenarios where WSS intercepts traffic...even when SSL Interception is DISABLED.
Common "Intercept on exception" scenarios:
Distribute WSS Root Cert ("Cloud Services Root CA") to Endpoints