Managing Proxy SSL Inspection Breaking Applications

Managing Proxy SSL Inspection Breaking Applications

dope.security introduces an industry first: simplifying SSL inspection.

What is SSL inspection?

SSL inspection is a security feature of SWGs that enables them to decrypt SSL-encrypted traffic, scan it for potential threats, and re-encrypt it before forwarding the traffic to its destination. This man-in-the-middle security feature allows organizations to inspect encrypted traffic for potential threats that may otherwise go undetected.

Great…but why is SSL inspection breaking my applications? 🚨

Despite its benefits, SSL inspection can cause issues and break some applications that rely on SSL encryption to function properly. But why do they break?

  • Certificate validation issues: When SSL inspection is performed, the SWG presents its own SSL certificate to the client instead of the original certificate from the website. If the application is not designed to handle this change in certificates, it may fail to validate the certificate and refuse to connect.
  • Hard-coded IP addresses or domains: Some applications may be designed to connect to a specific IP address or domain, and may not recognize the SWG’s IP address or domain after SSL inspection is performed. (FYI not a problem with fly-direct dope.swg 😉)
  • Application-specific SSL configurations: Some applications may have specific SSL configurations that are incompatible with the SWG’s SSL inspection process. For example, an application may require specific SSL ciphers or protocols that the SWG does not support. (FYI dope.swg supports the latest ciphers😉)

Can I just bypass SSL Inspection?

Yes, it’s possible to configure SSL bypass rules within a SWG solution to allow specific applications or websites to bypass SSL inspection 😃. However, configuring these rules is typically extremely manual 😞. Here are common steps most SWG solutions require to configure bypass lists:

  • Log a support ticket if you can’t configure it yourself 📝
  • Hunt around for application domains and URLs 🎯
  • Manually input the information into your bypass lists ✍️
  • Have a human monitor newly installed applications to see if they’ll break 🤷
  • Do this over and over for every breakage 😵‍💫

So while you can bypass SSL Inspection, as you can see, today’s way of doing it comes with so many steps and checks, that it's almost easier to just disable the SWG agent altogether so that your applications at least work, rather than deal with the manual maintenance. While this would solve your applications breaking, it leaves you vulnerable to security threats 😈. So good luck with that.

This sounds kind of terrible. Can it be better?

Yes! In fact, it can be dope, with dope.security.

Here’s how it works with us…

Currently dope.swg already logs SSL errors. But we’ve taken this a step further by extending our logging and analysis to show which specific processes and URLs are experiencing SSL errors.

After scanning the logs, and collecting the process name and associated URLs, these findings are synced to the dope.cloud. From there, our cloud communicates with the dope.endpoint and works its magic ✨ to generate a list of the SSL errors that have occurred, which the admin can easily see in their dashboard notification center upon login. The admin can then quickly add the breaking applications and URLs to their bypass lists directly from the notification center at the click of a button.

Once these few clicks are done, the bypass list is updated, and your connection to the once-broken application is fixed. You will no longer see the broken connection prompt again for that app.

With dope.swg, bypassing SSL Errors has been incredibly simplified for the admin. And the best part is, dope.swg will continue to scan the log files to identify new SSL errors and sync the findings to the dope.cloud, with zero impact on performance. It will consistently push new alerts to the admin’s notification center to ensure the lowest effort of management for both URL and Application bypass lists.

This truly is an industry first.

Feature releasing May 2023! See it for yourself at dope.security

Design
Design
User Experience
User Experience
back to blog Home