ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Dropbox, SSL Interception, and Issues when enforcing user/group based policy.


Article ID: 169397


Updated On:


Web Security Service - WSS


A policy rule, created in the ThreatPulse portal editor, to block or allow Dropbox for specific users or groups does not work. A likely cause is certificate pinning.


Normally, certificates are verified/validated by inspecting the signature hierarchy:  
 -  >  [MyCert]    signed by  [IntermediateCert]  →  signed by  [RootCert]
 -  -  > Where  [RootCert]  is listed in your computer's "Trusted Cert Store."

Certificate Pinning differs in that you ignore the hierarchy above and instead say "Trust this cert only," or 
"Only trust certificates, signed by this certificate."  For example, Windows Update Service trusts only certificates signed by Microsoft. This can effectively mitigate any risk of a compromised CA cert.



Because of Certificate Pinning, SSL Interception is not possible for Dropbox policy.

Thus, Dropbox can only be ALLOWED or BLOCKED for everyone.  It cannot be enforced for specific users or groups.