Certificate pinning is a way for websites to specify certain authorities who have issued valid certificates for a given site. It also then allows the user-agents to reject TLS connections to sites if the certificate is not issued by a known good CA.
In a nutshell, HTTP pinning is a method to prevent man-in-the-middle attacks due to certificate authorities that are not on the site's list.
As the SSL Visibility Appliance will act as the CA in an https connection, http pinning may be an issue.
Certificate pinning is not really an issue for normal browsing when a company implements SSL Interception correctly. If they test by just browsing a site and overriding the untrusted issuer error, that test will not work for certificate pinning sites. Instead, install the CA certificate in the certificate store to test SSL interception.
This has been tested this with Chrome, Firefox and IE. If the corporate CA certificate is installed in the client's certificate store, browsers will not enforce pinning the certificate to the CA that signed the web server's certificate.
Only when the CA certificate is not in the user's certificate store will these browsers terminate the connection without allowing the user to override the untrusted issuer error. This is the default behavior. If you set the
cert_pinning setting in Firefox to 2, it will then also not accept the privately installed CA certificate.
Imported Document ID: 000023858
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.