Page 1 of 1

Need of SSL Certificate Verification & Validation Even if SSL Inspection is Disabled.

Posted: Fri May 01, 2020 9:34 am
by aashish97
Hello All,

While reading and exploring Fortinet Secure Web Gateway and their Product Features, I came accross their Feature: "SSL CERTIFICATE INSPECTION"
Which explains a preety good usage in providing good security measures in an organisation.

"SSL Certificate Inspection " will inspect SSL certificate even if SSL Inspection is not Enabled.
Which means if a user visits a website via Fortinet Web Gateway and SSL Inspection is Disabled still the website's SSL certificate will be checked and if the Certificate Validation fails then it will be blocked.

This Features really helps to identify security breaches even if SSL Inspection is Disabled
This add another layer of security when SSL Inspection is Disabled.

The below link explains about SSL Certificate Inspection of Fortinet SWG.


------ Fortinet Documentation Link ------ https://docs.fortinet.com/document/fort ... inspection

----- Fortinet Documentation Screenshot -----

IMG-20200501-WA0001.jpg
IMG-20200501-WA0001.jpg (109.1 KiB) Viewed 1501 times


Let's go in detail

Note: Connect Proxy - is nothing but Proxy where SSL Inspection is not done and all SSL connection are tunneled without alternation. When the Proxy receives CONNECT Request from client it then tunnels the request or the remote webserver.

Need of Such Feature:
( Problem in Existing Connect Proxy ):
1. Whenever SafeSquid is configured as Connect Proxy the only Restrictions that can be done on SSL websites are URL Filtering and Port Filtering.

And when the SSL Tunnel is created after no other filtering can be done by SafeSquid.

In such case, If the user Connects to a website which has

1. Expired SSL certificate
2. Invalid SSL Certificate Chain Configuration.
3. Wrong Common Name ( SSL Certificate )
4. SSL Certificate is Revoked.

Etc all other Misconfiguration are not Validated.

2. Browser also does the same SSL Validation, then in that case the browser will block the website and provide an error template for the same.
But Browsers do not restrict users to enter ( access ) that website. Browsers are not the right security measures for an organisation they do through a error message but that error message can be easily bypass ( or an exception ) can be created by the user itself and the site can be easily accessed, that site can be a malicious site or a wrong site.

Note: only case when the browser will not allow website to be accessed by adding an exception, is in SSL Certificate Revocation i.e if a Websites SSL certificate is Revoked then that website will not be allowed to accessed by the browser.


Advantage of Having SSL Certificate Verification even if SSL inspection is disabled.

Currently SSL certificate verification and validation is only done when SSL inspection is enabled in SafeSquid-SWG. But some users install and use SafeSquid-SWG without SSL INSPECTION in that case having a SSL certificate inspection will add anothe layer of safety and security.

Users will be blocked if the SSL Website they are trying to visit is having a Misconfigured SSL CONFIGURATION. Which are sign of malicious activity.

I think the above explaination properly covers why SSL certificate inspection or inspection of SSL certificate even if SSL inspection is not doing to be done is important.