Child Item

Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

Hi!

I'm developing a mobile Dropbox Client using the Core API and I am adding Certificate Pinning functionality to my HTTP Client.

I'm checking the entire certificate chain, and so far I went to the endpoints (api.dropbox.com and api-content.dropbox.com) via HTTPS and downloaded the entire chain for both, which resulted in 4 certs: *.dropbox.com, api.dropboxapi.com, GoDaddy Secure CA G2 and GoDaddy Root CA G2.

I've tested my code and everything is working fine.

However, just to be sure I went to the DropboxSDK to check the pinned certificates, and found out it has a lot more of them:

DigiCert Assured ID Root CA

DigiCert Global Root CA

DigiCert High Assurance EV Root CA

Entrust Root Certification Authority - EC1

Entrust Root Certification Authority - G2

Entrust Root Certification Authority

Entrust.net Certification Authority (2048)

GeoTrust Global CA

GeoTrust Primary Certification Authority - G2

GeoTrust Primary Certification Authority - G3

GeoTrust Primary Certification Authority

Go Daddy Class 2 Certification Authority

Go Daddy Root Certificate Authority - G2

Go Daddy Secure Certification Authority serialNumber=07969287

Go Daddy Secure Server Certificate (Cross Intermediate Certificate)

Thawte Premium Server CA

Thawte Primary Root CA - G2

Thawte Primary Root CA - G3

Thawte Primary Root CA

So my question is, are all these Root certificates currently used, or are they legacy? (I know GoDaddy at least is currently being used)

If they are currently used, does this list include the complete chains for every Root CA?

Thanks in advance

Find more posts tagged with

API

Abuse

Comments

Mark

moves to correct forum

Greg-DB

The list includes all root CAs supported by Dropbox, some of which may not be used in certificate chains we're currently serving. Please include all of these root CAs in your app as we may switch root CAs on our production SSL certificate at any time without notice. The list covers all certificate chains that we are currently using or planning to use.

André N.

Thanks for your answer, Greg!

Ok, I'll use this list in my app too.

Hovever, (and correct me if I'm wrong) this list doesn't contain all the complete chains for the several Root CA's, right?

Hence, only the Root CAs will be validated and not the complete chains. Doesn't this pose a security risk?

I'm asking because my current certificate pinning solution enables me to validate the entire chain, which I think should offer a better level of protection against MITM attacks. On the other hand, it also requires me to have all the intermediate certificates pinned...

Thanks!

Greg-DB

We intentionally do not pin intermediate and leaf certificates. We often have a legitimate need to rotate these certificates as they have a shorter expiration time and have a higher risk of getting compromised. For example, several CAs rotated their intermediate certificates as a result of a Heartbleed bug. By pinning intermediate or leaf certificates we would leave a large number of clients unable to connect to Dropbox in case we need to rotate the certificates.

André N.

Thanks once again Greg! It all makes sense now