cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Apps and Installations

Have a question about a Dropbox app or installation? Reach out to the Dropbox Community and get solutions, help, and advice from members.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disabling Certificate Pinning.

Disabling Certificate Pinning.

Tomer H.
New member | Level 1

Hi,

There are many corporate customers who would like to to monitor their SSL traffic VIA a proxy.
However, due to the usage of "certificate pinning" in the Dropbox clients this has become impossible.

Implementing a mechanism (e.g. an argument flag) to disable certificate pinning could be the middle ground for solving this.

Thanks,
Tomer.

7 Replies 7

Richard P.
Super User alumni

I doubt that is going to happen, as Dropbox use the certificate for authentication purposes as well as protecting the API.

Sean P.7
New member | Level 1

I have the same issue. The SSL inteception via the corporate firewall blocks Dropbox SSL connections for this reason.

Richard P.
Super User alumni

That's the point of it.

Sean P.7
New member | Level 1

So Dropbox simply shouldn't support customers that use their product in the enterprise?

Richard P.
Super User alumni

Then dont recommend them if you can't recommend them - its as easy as that.

But allowing deep packet inspection doesn't solve all the problems in the world - what if Dropboxes API is a binary one, what then? Demands for the spec to see what's going on? What about binary files? Archives? ISO's? Removing the certificate pinning doesn't automatically make the traffic readable, but it does make it less secure.

If you are uncomfortable with the possibility of data leakage through Dropbox, then don't install Dropbox on your corporate network. Find a solution which you own top to bottom, dont go half way by requiring access to an undocumented proprietary data stream as if thats going to solve your problems.

Tomer H.
New member | Level 1

Hi Richard,

My apologies for being so blunt. I've deleted my previous message as it was a bit improper.
I believe the best solution is to enable by default certificate pinning. But to keep an option for users to disable it.

It's just my opinion.

Thanks for your reply.
Tomer.

Sam B.16
New member | Level 1

Is there really no way to make progress some kind of progress on this? I would rather be able to use inspected Dropbox than not use it at all. Many companies do not really understand what they are inspecting, but they need to be able to turn on DPI to allow a service regardless. In many places this is primarily about malware coming in from an infected home PC on uninspected services. Is there some official response to this issue?

 

[This thread is now closed by moderators due to inactivity. If you're experiencing a similar behavior, feel free to start a new discussion in the Ask a Question section here.]

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Sam B.16 New member | Level 1
  • User avatar
    Tomer H. New member | Level 1
  • User avatar
    Richard P. Super User alumni
  • User avatar
    Sean P.7 New member | Level 1
What do Dropbox user levels mean?