Forum Discussion

AlexBCT's avatar
AlexBCT
Icon for Cumulonimbus rankCumulonimbus
Apr 12, 2023

SSLO Security policies; do we still need the Pinners category?

Playing with SSLO again, and came across the Pinners category in the Security Policy (category of website that is immediately bypassing SSLO due to the use of Pinned certificates).  (More detail on...
application delivery
sslo
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Apr 13, 2023

    Certificate pinning was never intended for browser traffic.

    In the simplest sense, modern browsers contain TWO CA trust stores - a system-level and separate user-level store, and a policy that says, basically, that a pinned certificate violation shall be ignored if the issuer is trusted via the user-level trust store. So in an SSL forward proxy, when you import the CA certificate to the clients, you're placing that CA in the user-level trust store, thus negating the effects of certificate pinning.

    What is not covered, however, are non-browser agents that do certificate pinning. These are typically your antivirus and OS/software update agents. These non-browser agents have a single CA trust store and thus must honor all certification pinning validations. Without the pinners category in SSLO, these agents would break.

     

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee

The are indeed checked regularly. And most of the URLs in the pinners list are specific to "updates", so only ever used by non-browser agents. Dropbox is a notable exception here, where the desktop agent and a browser are using the same URLs. 

AlexBCT's avatar
AlexBCT
Icon for Cumulonimbus rankCumulonimbus
Apr 14, 2023

Good to know, thanks!