New security tool lets you bypass SSL inspection errors

Endpoint-based web and cloud security provider Dope Security has launched a new instant secure socket layer (SSL) error resolution feature on its secure web gateway (SWG) offering, Dope.swg.

The new feature is added to simplify SSL inspection conducted by Dope’s SWG and helps admins bypass SSL errors generated as a result of the inspection.

“Dope’s main differentiation is its ‘fly-direct’ architecture — rather than re-route all of your Internet traffic to a data center for security checks, we perform them on the device,” said Kunal Agarwal, CEO at Dope Security. “With our new instant SSL error resolution feature, we are further simplifying the SSL inspection process.”

SSL inspection is a security feature of SWGs that enables them to decrypt SSL-encrypted traffic, scan it for potential threats, and re-encrypt it before forwarding the traffic to its destination.

SSL inspection can sometimes break applications

SSL inspection can sometimes cause issues and break some applications that rely on SSL encryption to function correctly. There can be different underlying reasons for breaking applications, which include certificate validation issues, hard-coded IP addresses and domains, and application-specific SSL configurations.

Certificate validation failure happens when there is a mismatch between the SSL-generated certificates and the original certificate carried from the website. If the application is not designed to handle this change in certificates, validation fails, and a connection is refused.

Hard-coded IP addresses in some applications may also lead to breaking as these applications are designed to connect to a specific IP address or domain, and may not recognize the SWG’s IP address or domain after SSL inspection is performed.

Several applications may also have specific SSL configurations, which may be incompatible with the SWG’s SSL inspection process and hence lead to breaking.

When SSL inspection leads to problems, admins seek to configure SSL bypass rules for specific applications or websites to bypass their inspection. The configuring of these rules, however, is typically manual, which involves logging support tickets, hunting around for application domains and URLs, manual inputs in bypass lists, and continuous manual monitoring, according to a company blog.

“The previous generation of products caused more issues than they solved,” Agarwal said. “For instance, if an app had an SSL inspection compatibility issue it required a huge amount of coordination between the employee, their IT team, and customer support to figure out what was happening. It takes time and it’s a pain.”

“Today’s way of doing it (SSL inspection bypass) comes with so many steps and checks, that it’s almost easier to just disable the SWG agent altogether so that your applications at least work,” the blog added. This, obviously, will leave businesses vulnerable to security threats and hence should be avoided.

“Simplifying the process of updating bypass lists is a much better alternative than disabling SSL inspection entirely,” said Michael Sampson, an analyst with Osterman Research. “It would be important for organizations to periodically revisit what was breaking and why, and whether any updates had resolved the breakage so that bypass rules could be reversed and thus a higher proportion of processes would be covered by SSL inspection.”

Dope directly flags SSL errors for bypass

Dope’s SWG offering, Dope.swg, has an existing capability of logging SSL errors. The new instant SSL error resolution feature adds additional logging and analysis capabilities to prepare and display a list of specific processes and URLs that are experiencing SSL errors.

After scanning the process name and retrieving the associated URLs, these findings are logged and synced to Dope.cloud, which is a cloud-based user console for all admin configurations and reporting. Admins can use dope.cloud to add these findings to the bypass lists through one click.  

All security controls effected through Dope’s SWG are performed through Dope’s on-device SSL proxy, Dope.endpoint, which retains a business’ user’s policy and protects the device from accessing bad content. Dope.endpoint is controlled by Dope.cloud’s console where an organization’s policies are configured.

“Our new Instant SSL Error Resolution simplifies the SSL inspection and bypass process and converts them into three clicks — the error shows up, you check a box, and hit bypass. That’s it! It’s a capability that should’ve been there from day one with the legacy providers to make your life easier,” Agarwal said.

“It would also be good if there was a feedback loop from Dope to app owners — perhaps they could subscribe to a break feed, so they could see what is breaking where and why,” Sampson said.

The feature will automatically be available to customers using dope.swg, with no extra charges or license. Dope is currently working on cloud access security broker (CASB) and private access offerings to transition to a full security service edge (SSE) product.