cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
We are making some updates so the Community might be down for a few hours on Monday the 11th of November. Apologies for the inconvenience and thank you for your patience. You can find out more here.

Apps and Installations

Have a question about a Dropbox app or installation? Reach out to the Dropbox Community and get solutions, help, and advice from members.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Disabling Certificate Pinning.

Labels:

Disabling Certificate Pinning.

Tomer H.
New member | Level 1
‎01-19-2015 08:46 AM

Hi,

There are many corporate customers who would like to to monitor their SSL traffic VIA a proxy.
However, due to the usage of "certificate pinning" in the Dropbox clients this has become impossible.

Implementing a mechanism (e.g. an argument flag) to disable certificate pinning could be the middle ground for solving this.

Thanks,
Tomer.

Labels:
  • 2 Likes
  • 7 Replies
  • 7,114 Views
7 Replies 7

Richard P.
Super User alumni
‎01-19-2015 12:29 PM

I doubt that is going to happen, as Dropbox use the certificate for authentication purposes as well as protecting the API.

0 Likes

Sean P.7
New member | Level 1
‎03-10-2015 07:38 PM

I have the same issue. The SSL inteception via the corporate firewall blocks Dropbox SSL connections for this reason.

0 Likes

Richard P.
Super User alumni
‎03-10-2015 07:41 PM

That's the point of it.

0 Likes

Sean P.7
New member | Level 1
‎03-10-2015 07:43 PM

So Dropbox simply shouldn't support customers that use their product in the enterprise?

0 Likes

Richard P.
Super User alumni
‎03-10-2015 10:14 PM

Then dont recommend them if you can't recommend them - its as easy as that.

But allowing deep packet inspection doesn't solve all the problems in the world - what if Dropboxes API is a binary one, what then? Demands for the spec to see what's going on? What about binary files? Archives? ISO's? Removing the certificate pinning doesn't automatically make the traffic readable, but it does make it less secure.

If you are uncomfortable with the possibility of data leakage through Dropbox, then don't install Dropbox on your corporate network. Find a solution which you own top to bottom, dont go half way by requiring access to an undocumented proprietary data stream as if thats going to solve your problems.

0 Likes

Tomer H.
New member | Level 1
‎03-11-2015 04:54 AM

Hi Richard,

My apologies for being so blunt. I've deleted my previous message as it was a bit improper.
I believe the best solution is to enable by default certificate pinning. But to keep an option for users to disable it.

It's just my opinion.

Thanks for your reply.
Tomer.

Sam B.16
New member | Level 1
‎08-04-2015 03:41 PM

Is there really no way to make progress some kind of progress on this? I would rather be able to use inspected Dropbox than not use it at all. Many companies do not really understand what they are inspecting, but they need to be able to turn on DPI to allow a service regardless. In many places this is primarily about malware coming in from an infected home PC on uninspected services. Is there some official response to this issue?

 

[This thread is now closed by moderators due to inactivity. If you're experiencing a similar behavior, feel free to start a new discussion in the Ask a Question section here.]

Need more support?