Forum Discussion
SSLO Security policies; do we still need the Pinners category?
- Apr 13, 2023
Certificate pinning was never intended for browser traffic.
In the simplest sense, modern browsers contain TWO CA trust stores - a system-level and separate user-level store, and a policy that says, basically, that a pinned certificate violation shall be ignored if the issuer is trusted via the user-level trust store. So in an SSL forward proxy, when you import the CA certificate to the clients, you're placing that CA in the user-level trust store, thus negating the effects of certificate pinning.
What is not covered, however, are non-browser agents that do certificate pinning. These are typically your antivirus and OS/software update agents. These non-browser agents have a single CA trust store and thus must honor all certification pinning validations. Without the pinners category in SSLO, these agents would break.
Hi Kevin,
Thanks for the very useful answer - that clarifies a few things (and fills a couple of holes in my knowledge 😉
I am however now wondering if some of the entries in the Pinners category aren't too broad to be included by default. For example, for Dropbox, it contains the full domain (https://*.dropbox.com), which means no matter where people are coming from (Agent or Browser), Dropbox will always be allowed by default - that's quite a potential hole in a DLP policy. For these domains it has now become a default-allow, rather than a default-deny architecture (though I do appreciate that it's still only a fraction of domains that you'll be interested in, and a level of pragmatism should be used).
Do you know if the entries in the list are checked regularly on whether they should still be in the list and/or can be made more specific?
Thanks,
- Kevin_StewartApr 14, 2023Employee
The are indeed checked regularly. And most of the URLs in the pinners list are specific to "updates", so only ever used by non-browser agents. Dropbox is a notable exception here, where the desktop agent and a browser are using the same URLs.
- AlexBCTApr 14, 2023Cumulonimbus
Good to know, thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com