We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.

Forum Discussion

Tomer H.'s avatar
Tomer H.
New member | Level 1
10 years ago

Disabling Certificate Pinning.

Hi,

There are many corporate customers who would like to to monitor their SSL traffic VIA a proxy.
However, due to the usage of "certificate pinning" in the Dropbox clients this has become impossible.

Implementing a mechanism (e.g. an argument flag) to disable certificate pinning could be the middle ground for solving this.

Thanks,
Tomer.

  • Sam B.16's avatar
    Sam B.16
    New member | Level 1

    Is there really no way to make progress some kind of progress on this? I would rather be able to use inspected Dropbox than not use it at all. Many companies do not really understand what they are inspecting, but they need to be able to turn on DPI to allow a service regardless. In many places this is primarily about malware coming in from an infected home PC on uninspected services. Is there some official response to this issue?

     

    [This thread is now closed by moderators due to inactivity. If you're experiencing a similar behavior, feel free to start a new discussion in the Ask a Question section here.]

  • Tomer H.'s avatar
    Tomer H.
    New member | Level 1

    Hi Richard,

    My apologies for being so blunt. I've deleted my previous message as it was a bit improper.
    I believe the best solution is to enable by default certificate pinning. But to keep an option for users to disable it.

    It's just my opinion.

    Thanks for your reply.
    Tomer.

  • Richard P.'s avatar
    Richard P.
    Icon for Super User alumni rankSuper User alumni

    I doubt that is going to happen, as Dropbox use the certificate for authentication purposes as well as protecting the API.

  • Sean P.7's avatar
    Sean P.7
    New member | Level 1

    I have the same issue. The SSL inteception via the corporate firewall blocks Dropbox SSL connections for this reason.

  • Sean P.7's avatar
    Sean P.7
    New member | Level 1

    So Dropbox simply shouldn't support customers that use their product in the enterprise?

  • Richard P.'s avatar
    Richard P.
    Icon for Super User alumni rankSuper User alumni

    Then dont recommend them if you can't recommend them - its as easy as that.

    But allowing deep packet inspection doesn't solve all the problems in the world - what if Dropboxes API is a binary one, what then? Demands for the spec to see what's going on? What about binary files? Archives? ISO's? Removing the certificate pinning doesn't automatically make the traffic readable, but it does make it less secure.

    If you are uncomfortable with the possibility of data leakage through Dropbox, then don't install Dropbox on your corporate network. Find a solution which you own top to bottom, dont go half way by requiring access to an undocumented proprietary data stream as if thats going to solve your problems.

About Apps and Installations

Have a question about a Dropbox app or installation? Reach out to the Dropbox Community and get solutions, help, and advice from members.

Need more support

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!