<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains? in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84715#M2571</link>
    <description>&lt;P&gt;Thanks for your answer, Greg!&lt;/P&gt;

&lt;P&gt;Ok, I'll use this list in my app too.&lt;/P&gt;

&lt;P&gt;Hovever, (and correct me if I'm wrong) this list doesn't contain all the complete chains for the several Root CA's, right?&lt;BR /&gt;
Hence, only the Root CAs will be validated and not the complete chains. Doesn't this pose a security risk?&lt;/P&gt;

&lt;P&gt;I'm asking because my current certificate pinning solution enables me to validate the entire chain, which I think should offer a better level of protection against MITM attacks. On the other hand, it also requires me to have all the intermediate certificates pinned...&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
    <pubDate>Wed, 27 May 2015 22:24:45 GMT</pubDate>
    <dc:creator>André N.</dc:creator>
    <dc:date>2015-05-27T22:24:45Z</dc:date>
    <item>
      <title>Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84712#M2568</link>
      <description>&lt;P&gt;Hi!&lt;BR /&gt;
I'm developing a mobile Dropbox Client using the Core API and I am adding Certificate Pinning functionality to my HTTP Client.&lt;/P&gt;

&lt;P&gt;I'm checking the entire certificate chain, and so far I went to the endpoints (api.dropbox.com and api-content.dropbox.com) via HTTPS and downloaded the entire chain for both, which resulted in 4 certs: *.dropbox.com, api.dropboxapi.com, GoDaddy Secure CA G2 and GoDaddy Root CA G2.&lt;BR /&gt;
I've tested my code and everything is working fine.&lt;/P&gt;

&lt;P&gt;However, just to be sure I went to the DropboxSDK to check the pinned certificates, and found out it has a lot more of them:&lt;/P&gt;

&lt;P&gt;DigiCert Assured ID Root CA&lt;BR /&gt;
DigiCert Global Root CA&lt;BR /&gt;
DigiCert High Assurance EV Root CA&lt;BR /&gt;
Entrust Root Certification Authority - EC1&lt;BR /&gt;
Entrust Root Certification Authority - G2&lt;BR /&gt;
Entrust Root Certification Authority&lt;BR /&gt;
Entrust.net Certification Authority (2048)&lt;BR /&gt;
GeoTrust Global CA&lt;BR /&gt;
GeoTrust Primary Certification Authority - G2&lt;BR /&gt;
GeoTrust Primary Certification Authority - G3&lt;BR /&gt;
GeoTrust Primary Certification Authority&lt;BR /&gt;
Go Daddy Class 2 Certification Authority&lt;BR /&gt;
Go Daddy Root Certificate Authority - G2&lt;BR /&gt;
Go Daddy Secure Certification Authority serialNumber=07969287&lt;BR /&gt;
Go Daddy Secure Server Certificate (Cross Intermediate Certificate)&lt;BR /&gt;
Thawte Premium Server CA&lt;BR /&gt;
Thawte Primary Root CA - G2&lt;BR /&gt;
Thawte Primary Root CA - G3&lt;BR /&gt;
Thawte Primary Root CA&lt;/P&gt;

&lt;P&gt;So my question is, are all these Root certificates currently used, or are they legacy? (I know GoDaddy at least is currently being used)&lt;BR /&gt;
If they are currently used, does this list include the complete chains for every Root CA?&lt;/P&gt;

&lt;P&gt;Thanks in advance &lt;img class="lia-deferred-image lia-image-emoji" src="https://www.dropboxforum.com/html/@41457EF40051AFF130FDBFE21B496926/emoticons/1f609.png" alt=":winking_face:" title=":winking_face:" /&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 29 May 2019 09:42:32 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84712#M2568</guid>
      <dc:creator>André N.</dc:creator>
      <dc:date>2019-05-29T09:42:32Z</dc:date>
    </item>
    <item>
      <title>Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84713#M2569</link>
      <description>&lt;P&gt;&lt;EM&gt;moves to correct forum&lt;/EM&gt; &lt;/P&gt;</description>
      <pubDate>Mon, 25 May 2015 21:11:06 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84713#M2569</guid>
      <dc:creator>Mark</dc:creator>
      <dc:date>2015-05-25T21:11:06Z</dc:date>
    </item>
    <item>
      <title>Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84714#M2570</link>
      <description>&lt;P&gt;The list includes all root CAs supported by Dropbox, some of which may not be used in certificate chains we're currently serving. Please include all of these root CAs in your app as we may switch root CAs on our production SSL certificate at any time without notice. The list covers all certificate chains that we are currently using or planning to use.&lt;/P&gt;</description>
      <pubDate>Wed, 27 May 2015 06:49:14 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84714#M2570</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2015-05-27T06:49:14Z</dc:date>
    </item>
    <item>
      <title>Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84715#M2571</link>
      <description>&lt;P&gt;Thanks for your answer, Greg!&lt;/P&gt;

&lt;P&gt;Ok, I'll use this list in my app too.&lt;/P&gt;

&lt;P&gt;Hovever, (and correct me if I'm wrong) this list doesn't contain all the complete chains for the several Root CA's, right?&lt;BR /&gt;
Hence, only the Root CAs will be validated and not the complete chains. Doesn't this pose a security risk?&lt;/P&gt;

&lt;P&gt;I'm asking because my current certificate pinning solution enables me to validate the entire chain, which I think should offer a better level of protection against MITM attacks. On the other hand, it also requires me to have all the intermediate certificates pinned...&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Wed, 27 May 2015 22:24:45 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84715#M2571</guid>
      <dc:creator>André N.</dc:creator>
      <dc:date>2015-05-27T22:24:45Z</dc:date>
    </item>
    <item>
      <title>Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84716#M2572</link>
      <description>&lt;P&gt;We intentionally do not pin intermediate and leaf certificates. We often have a legitimate need to rotate these certificates as they have a shorter expiration time and have a higher risk of getting compromised. For example, several CAs rotated their intermediate certificates as a result of a Heartbleed bug. By pinning intermediate or leaf certificates we would leave a large number of clients unable to connect to Dropbox in case we need to rotate the certificates.&lt;/P&gt;</description>
      <pubDate>Thu, 28 May 2015 00:54:05 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84716#M2572</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2015-05-28T00:54:05Z</dc:date>
    </item>
    <item>
      <title>Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84717#M2573</link>
      <description>&lt;P&gt;Thanks once again Greg! It all makes sense now &lt;img class="lia-deferred-image lia-image-emoji" src="https://www.dropboxforum.com/html/@41457EF40051AFF130FDBFE21B496926/emoticons/1f609.png" alt=":winking_face:" title=":winking_face:" /&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 28 May 2015 01:03:06 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or/m-p/84717#M2573</guid>
      <dc:creator>André N.</dc:creator>
      <dc:date>2015-05-28T01:03:06Z</dc:date>
    </item>
  </channel>
</rss>

