Child Item

Disabling Certificate Pinning.

Hi,

There are many corporate customers who would like to to monitor their SSL traffic VIA a proxy.
However, due to the usage of "certificate pinning" in the Dropbox clients this has become impossible.

Implementing a mechanism (e.g. an argument flag) to disable certificate pinning could be the middle ground for solving this.

Thanks,
Tomer.

Find more posts tagged with

Desktop

Storage space

Insightful

Comments

Richard P.

I doubt that is going to happen, as Dropbox use the certificate for authentication purposes as well as protecting the API.

Sean P.7

I have the same issue. The SSL inteception via the corporate firewall blocks Dropbox SSL connections for this reason.

Richard P.

That's the point of it.

Sean P.7

So Dropbox simply shouldn't support customers that use their product in the enterprise?

Richard P.

Then dont recommend them if you can't recommend them - its as easy as that.

But allowing deep packet inspection doesn't solve all the problems in the world - what if Dropboxes API is a binary one, what then? Demands for the spec to see what's going on? What about binary files? Archives? ISO's? Removing the certificate pinning doesn't automatically make the traffic readable, but it does make it less secure.

If you are uncomfortable with the possibility of data leakage through Dropbox, then don't install Dropbox on your corporate network. Find a solution which you own top to bottom, dont go half way by requiring access to an undocumented proprietary data stream as if thats going to solve your problems.

Tomer H.

Hi Richard,

My apologies for being so blunt. I've deleted my previous message as it was a bit improper.

I believe the best solution is to enable by default certificate pinning. But to keep an option for users to disable it.

It's just my opinion.

Thanks for your reply.

Tomer.

Sam B.16

Is there really no way to make progress some kind of progress on this? I would rather be able to use inspected Dropbox than not use it at all. Many companies do not really understand what they are inspecting, but they need to be able to turn on DPI to allow a service regardless. In many places this is primarily about malware coming in from an infected home PC on uninspected services. Is there some official response to this issue?

[This thread is now closed by moderators due to inactivity. If you're experiencing a similar behavior, feel free to start a new discussion in the Ask a Question section here.]