Forum Discussion

Cumulonimbus

Apr 12, 2023

SSLO Security policies; do we still need the Pinners category?

Playing with SSLO again, and came across the Pinners category in the Security Policy (category of website that is immediately bypassing SSLO due to the use of Pinned certificates). (More detail on...

application delivery

sslo

Kevin_Stewart
Apr 13, 2023
Certificate pinning was never intended for browser traffic.

In the simplest sense, modern browsers contain TWO CA trust stores - a system-level and separate user-level store, and a policy that says, basically, that a pinned certificate violation shall be ignored if the issuer is trusted via the user-level trust store. So in an SSL forward proxy, when you import the CA certificate to the clients, you're placing that CA in the user-level trust store, thus negating the effects of certificate pinning.

What is not covered, however, are non-browser agents that do certificate pinning. These are typically your antivirus and OS/software update agents. These non-browser agents have a single CA trust store and thus must honor all certification pinning validations. Without the pinners category in SSLO, these agents would break.

AlexBCT

Cumulonimbus

Hi Kevin,

Thanks for the very useful answer - that clarifies a few things (and fills a couple of holes in my knowledge 😉

I am however now wondering if some of the entries in the Pinners category aren't too broad to be included by default. For example, for Dropbox, it contains the full domain (https://*.dropbox.com), which means no matter where people are coming from (Agent or Browser), Dropbox will always be allowed by default - that's quite a potential hole in a DLP policy. For these domains it has now become a default-allow, rather than a default-deny architecture (though I do appreciate that it's still only a fraction of domains that you'll be interested in, and a level of pragmatism should be used).

Do you know if the entries in the list are checked regularly on whether they should still be in the list and/or can be made more specific?

Thanks,

Kevin_Stewart

Employee

Apr 14, 2023

The are indeed checked regularly. And most of the URLs in the pinners list are specific to "updates", so only ever used by non-browser agents. Dropbox is a notable exception here, where the desktop agent and a browser are using the same URLs.

AlexBCT
Cumulonimbus
Apr 14, 2023
Good to know, thanks!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SSLO Security policies; do we still need the Pinners category?

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Virtual server security policy

F5 Distributed Cloud Services to Provide Unified Security Policy for Multi-cloud OpenShift Workloads

F5 Security Podcasts

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Re: Ansible playbook to export and import ASM security policy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS