Join the Conversation: The Dash Community Is Now Open! ✨🎉
Forum Discussion
Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?
Hi!
I'm developing a mobile Dropbox Client using the Core API and I am adding Certificate Pinning functionality to my HTTP Client.
I'm checking the entire certificate chain, and so far I went to the endpoints (api.dropbox.com and api-content.dropbox.com) via HTTPS and downloaded the entire chain for both, which resulted in 4 certs: *.dropbox.com, api.dropboxapi.com, GoDaddy Secure CA G2 and GoDaddy Root CA G2.
I've tested my code and everything is working fine.
However, just to be sure I went to the DropboxSDK to check the pinned certificates, and found out it has a lot more of them:
DigiCert Assured ID Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
Entrust Root Certification Authority - EC1
Entrust Root Certification Authority - G2
Entrust Root Certification Authority
Entrust.net Certification Authority (2048)
GeoTrust Global CA
GeoTrust Primary Certification Authority - G2
GeoTrust Primary Certification Authority - G3
GeoTrust Primary Certification Authority
Go Daddy Class 2 Certification Authority
Go Daddy Root Certificate Authority - G2
Go Daddy Secure Certification Authority serialNumber=07969287
Go Daddy Secure Server Certificate (Cross Intermediate Certificate)
Thawte Premium Server CA
Thawte Primary Root CA - G2
Thawte Primary Root CA - G3
Thawte Primary Root CA
So my question is, are all these Root certificates currently used, or are they legacy? (I know GoDaddy at least is currently being used)
If they are currently used, does this list include the complete chains for every Root CA?
Thanks in advance ;)
5 Replies
Replies have been turned off for this discussion
- Mark
Super User II
moves to correct forum
- Greg-DB
Dropbox Community Moderator
The list includes all root CAs supported by Dropbox, some of which may not be used in certificate chains we're currently serving. Please include all of these root CAs in your app as we may switch root CAs on our production SSL certificate at any time without notice. The list covers all certificate chains that we are currently using or planning to use.
Thanks for your answer, Greg!
Ok, I'll use this list in my app too.
Hovever, (and correct me if I'm wrong) this list doesn't contain all the complete chains for the several Root CA's, right?
Hence, only the Root CAs will be validated and not the complete chains. Doesn't this pose a security risk?I'm asking because my current certificate pinning solution enables me to validate the entire chain, which I think should offer a better level of protection against MITM attacks. On the other hand, it also requires me to have all the intermediate certificates pinned...
Thanks!
- Greg-DB
We intentionally do not pin intermediate and leaf certificates. We often have a legitimate need to rotate these certificates as they have a shorter expiration time and have a higher risk of getting compromised. For example, several CAs rotated their intermediate certificates as a result of a Heartbleed bug. By pinning intermediate or leaf certificates we would leave a large number of clients unable to connect to Dropbox in case we need to rotate the certificates.
Thanks once again Greg! It all makes sense now ;)
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
