Dropbox, SSL Interception, and Issues when enforcing user/group based policy.

book

Article ID: 169397

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

A policy rule, created in the ThreatPulse portal editor, to block or allow Dropbox for specific users or groups does not work. A likely cause is certificate pinning.

Cause

Normally, certificates are verified/validated by inspecting the signature hierarchy:  
 -  >  [MyCert]    signed by  [IntermediateCert]  →  signed by  [RootCert]
 -  -  > Where  [RootCert]  is listed in your computer's "Trusted Cert Store."

Certificate Pinning differs in that you ignore the hierarchy above and instead say "Trust this cert only," or 
"Only trust certificates, signed by this certificate."  For example, Windows Update Service trusts only certificates signed by Microsoft. This can effectively mitigate any risk of a compromised CA cert.

See: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning 

Resolution

Because of Certificate Pinning, SSL Interception is not possible for Dropbox policy.

Thus, Dropbox can only be ALLOWED or BLOCKED for everyone.  It cannot be enforced for specific users or groups.