Does the SSL Visibility Appliance support HTTP pinning?

book

Article ID: 168438

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

Certificate pinning is a way for websites to specify certain authorities who have issued valid certificates for a given site. It also then allows the user-agents to reject TLS connections to sites if the certificate is not issued by a known good CA.  
In a nutshell, HTTP pinning is a method to prevent man-in-the-middle attacks due to certificate authorities that are not on the site's list.

 

Cause

As the SSL Visibility Appliance will act as the CA in an https connection, http pinning may be an issue.
 

Resolution

Certificate pinning is not really an issue for normal browsing when a company implements SSL Interception correctly.  If they test by just browsing a site and overriding the untrusted issuer error, that test will not work for certificate pinning sites. Instead, install the CA certificate in the certificate store to test SSL interception.
This has been tested this with Chrome, Firefox and IE. If the corporate CA certificate is installed in the client's certificate store, browsers will not enforce pinning the certificate to the CA that signed the web server's certificate.
Only when the CA certificate is not in the user's certificate store will these browsers terminate the connection without allowing the user to override the untrusted issuer error. This is the default behavior. If you set the cert_pinning setting in Firefox to 2, it will then also not accept the privately installed CA certificate.