Understand Public Key Pinning and Certificate Pinning in Umbrella

Introduction

This document describes certificate pinning and public key pinning in Cisco Umbrella.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco Umbrella.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Overview

Certificate pinning is an Internet security mechanism which allows applications to resist impersonation against HTTPS servers using mis-issued or otherwise fraudulent digital certificates. It does this by associating a server with a defined set of public keys, which can be the only ones trusted for connections to that server. There are two techniques for Certificate Pinning:

• Public Key Pinning (PKP RFC7469) is a now obsolete mechanism for triggering certificate pinning in web browsers. Pinned certificates are sent to the browser using HTTP headers.
• Static Certificate Pinning is where an application is hard-coded to expect specific certificates or certificate authorities. Some desktop/mobile applications use a static certificate pinning mechanism for additional security.

When these web applications are proxied by Umbrella, the public key provided by Umbrella does not match which causes the application to close the HTTPS connection. Certificate pinning most commonly applies to only desktop/mobile applications because PKP support has been removed by modern web browsers.

Compatibility with Umbrella SWG

Umbrella bypasses known URLs from SSL Decryption to resolve certificate pinning issues in certain circumstances. Table 1 includes applications that have been bypassed globally for all Umbrella customers. Table 1 also includes other applications that were known to use certificate pinning at the time or writing. If you are using any of these applications, you can consider using the methods described later, for the reasons given, to bypass the application from HTTPS inspection.  Table 2 provides more detail for the application services covered in table 1. 

Other Certificate Pinning Applications

Applications can be bypassed on a per-customer (per-policy) basis to solve certificate pinning problems using Umbrella's Selective Decryption feature. These exceptions can be implemented easily based on domain, application name or category; Umbrella SWG includes a large library of applications in our app database.

In most cases the decision whether to bypass the application rests with the IT Administrator. Adding a Decryption exception is a security trade-off because it prevents security/file inspection of the web content. This is an individual decision depending on the type of application and business need. For example, if the certificate pinning issue only affects a mobile/desktop application the Administrator can choose to add an exception to make the mobile application work or can instead prefer to ask users to use the web version of the application.

This is a table of applications that are either bypassed Globally for Umbrella Customers and no action is required or known to use certificate pinning at the time of writing and not bypassed by Umbrella by default. If you are using the applications which are not bypassed by default, then you can consider using the methods described above, for the reasons given, to bypass the application from HTTPS inspection.

Table 1 - Applications that can use certificate pinning

Table 2 – Detail forServices bypassed globally as shown in table 1

For additional help, please see Troubleshooting Non-Browser Applications or contact Umbrella Support. Applications may be considered for addition to our global bypass list after they have been reviewed by the Engineering team.