cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Update: Find information on Dropbox support during COVID-19 here
Close
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

New member | Level 1
New member | Level 1

Hi!
I'm developing a mobile Dropbox Client using the Core API and I am adding Certificate Pinning functionality to my HTTP Client.

I'm checking the entire certificate chain, and so far I went to the endpoints (api.dropbox.com and api-content.dropbox.com) via HTTPS and downloaded the entire chain for both, which resulted in 4 certs: *.dropbox.com, api.dropboxapi.com, GoDaddy Secure CA G2 and GoDaddy Root CA G2.
I've tested my code and everything is working fine.

However, just to be sure I went to the DropboxSDK to check the pinned certificates, and found out it has a lot more of them:

DigiCert Assured ID Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
Entrust Root Certification Authority - EC1
Entrust Root Certification Authority - G2
Entrust Root Certification Authority
Entrust.net Certification Authority (204
GeoTrust Global CA
GeoTrust Primary Certification Authority - G2
GeoTrust Primary Certification Authority - G3
GeoTrust Primary Certification Authority
Go Daddy Class 2 Certification Authority
Go Daddy Root Certificate Authority - G2
Go Daddy Secure Certification Authority serialNumber=07969287
Go Daddy Secure Server Certificate (Cross Intermediate Certificate)
Thawte Premium Server CA
Thawte Primary Root CA - G2
Thawte Primary Root CA - G3
Thawte Primary Root CA

So my question is, are all these Root certificates currently used, or are they legacy? (I know GoDaddy at least is currently being used)
If they are currently used, does this list include the complete chains for every Root CA?

Thanks in advance

5 Replies 5
Highlighted

Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

Super User II
Super User II

moves to correct forum


 


- - -


Heart Did this post help you? If so please mark it for some Kudos below. 


 Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.


 Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible! 


 

Highlighted

Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

Dropboxer
Dropboxer

The list includes all root CAs supported by Dropbox, some of which may not be used in certificate chains we're currently serving. Please include all of these root CAs in your app as we may switch root CAs on our production SSL certificate at any time without notice. The list covers all certificate chains that we are currently using or planning to use.

Highlighted

Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

New member | Level 1
New member | Level 1

Thanks for your answer, Greg!

Ok, I'll use this list in my app too.

Hovever, (and correct me if I'm wrong) this list doesn't contain all the complete chains for the several Root CA's, right?
Hence, only the Root CAs will be validated and not the complete chains. Doesn't this pose a security risk?

I'm asking because my current certificate pinning solution enables me to validate the entire chain, which I think should offer a better level of protection against MITM attacks. On the other hand, it also requires me to have all the intermediate certificates pinned...

Thanks!

Highlighted

Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

Dropboxer
Dropboxer

We intentionally do not pin intermediate and leaf certificates. We often have a legitimate need to rotate these certificates as they have a shorter expiration time and have a higher risk of getting compromised. For example, several CAs rotated their intermediate certificates as a result of a Heartbleed bug. By pinning intermediate or leaf certificates we would leave a large number of clients unable to connect to Dropbox in case we need to rotate the certificates.

Highlighted

Re: Dropbox Certificate Chain for Certificate Pinning - single or multiple chains?

New member | Level 1
New member | Level 1

Thanks once again Greg! It all makes sense now

Work Smarter with Dropbox

The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.

Sound good? Let's get started.
Who's talking

Top contributors to this post

What do Dropbox user levels mean?
Need more support?