Certificate Pinning
  • 20 Feb 2024
  • 2 Minutes to read
  • Contributors

    Certificate Pinning


      Article summary

      What is Certificate Pinning?

      Certificate Pinning is the process by which native applications validate that a certificate provided by the server matches a known set of rules and conditions to ensure the integrity of data in transit and prevent unwanted sniffing of traffic by a bad actor attempting to perform a man-in-the-middle attack. 

      Those applications will treat all other certificates as invalid, and the TLS connection will be refused.

      How does it affect my users?

      If your organization uses Secure Web Gateway (SWG), the Harmony SASE agent will utilize TLS inspection to prevent questionable sites from obfuscating malicious payloads within encrypted traffic. During this process, our system issues certificates signed by Harmony SASE. As a result, applications that utilize Certificate Pinning may deem those certificates invalid and fail to create a TLS connection. 

      What to do?

      SWG should be configured to bypass applications known to utilize certificate pinning.

      Applications can be bypassed using the following methods:

      1. Using the process name of the application
      2. A specific domain the application may be accessing
      3. A combination of the above methods. 


      To get the exact process name, you will need to do the following:
       
      Windows: Open the Task Manager and search for the application. The Program name is under the Details tab.

      Windows SWG agent.png

      Copy the exact process name.

      MacOS:

      1. Go to the Activity Monitor > Inspect selected process > Sample > Binary Images section > first item in the list.
      2. Open Finder > Applications > Show Package Contents > Contents/Info.plist > Grab the string after the CFBundleIdentifier key.

      Linux:
      Use this command:

      ps aux | grep app_name

      Note that the application process name to be used for bypass rule should be only the binary name itself.

      Here are some examples of applications which use Certificate Pinning and bypass criteria for them:

      ApplicationProgramDomain
      Adobe Suite (including Acrobat Reader, Creative Cloud and software updates)n/aFill in these domain lists: List 1, List 2
      Apple's iMessages, iTunes, App Store, Mailn/ap24-keyvalueservice.icloud.com, apps.apple.com, itunes.apple.com, mzstatic.com, gs-loc.apple.com, gsa.apple.com, securemetrics.apple.com, swscan.apple.com, xp.apple.com, icloud.com, ppq.apple.com, akadns.net, mail.me.com


      AWS Console


      n/a


      console.aws.amazon.com, docs.aws.amazon.com, signin.aws.amazon.com, signin.aws.amazon.com, fls-na.amazon.com, cdn.assets.as2.amazonaws.com, aws-signin-website-assets.s3.amazonaws.com, opfcaptcha-prod.s3.amazonaws.com,  d1dgtfo2wk29o4.cloudfront.net, Images-na.ssl-images-amazon.com

      Bitdefender


      n/a


      cdn.bitdefender.net, download.bitdefender.com, login.bitdefender.net, login.bitdefender.com, nimbus.bitdefender.net, push.bitdefender.net, upgrade.bitdefender.com

      DropBoxWindows: dropbox.exe, dropboxupdate.exe. macOS: com.getdropbox.dropboxn/a
      Evernoteevernote.exeannounce.evernote.com, cd1.evernote.com, evernote-a.akamaihd.net, www.evernote.com
      Google DriveWindows: googledrivesync.exe, GoogleDriveFS.exe. macOS: com.google.drivefs, com.google.drivefs.finderhelper.findersyncn/a


      Google Services


      n/aaccounts.google.com, alt2-mtalk.google.com, android.clients.google.com, www.google.com, android.googleapis.com, cryptauthenrollment.googleapis.com, device-provisioning.googleapis.com, digitalassetlinks.googleapis.com, fcmconnection.googleapis.com, fcmtoken.googleapis.com, firebaseperusertopics-pa.googleapis.com, play.googleapis.com, semanticlocation-pa.googleapis.com, lh3.googleusercontent.com, play-lh.googleusercontent.com, gstatic.com, gvt1.com,


      Java Updates



      sjremetrics.java.comm, javadl-esd-secure.oracle.com

      LogMeInlogmein.exeFill in this domain list
      Microsoft Defendern/aFill in this domain list

      Microsoft Lync and Skype


      lync.com, az801095.vo.msecnd.net, i.s-microsoft.com

      Microsoft Office365Configure within Office365 under Policy > URL & Cloud App Control > Advanced SettingsFor Outlook, please add the following domains:
      office365.com, office.net, office.com

      Microsoft OneDrive

      n/a

      cdn.funcaptcha.com, fpt.live.com, login.live.com, odc.officeapps.live.com, skyapi.policies.live.net, signup.live.com, skyapi.live.net, pipe.aria.microsoft.com, data.microsoft.com, svc.ms, msauth.net, onedrive.com, cdn.onenote.net

      Microsoft Windows Storen/aeus-streaming-video-msn-com, wns.windows.com, live.com, clientconfig.passport.net, wustat.windows.com, windowsupdate.com, msftncsi.com, microsoft.com
      Microsoft Updatesn/alogin.live.com, settings-win.data.microsoft.com, vortex-win.data.microsoft.com, delivery.mp.microsoft.com, tsfe.trafficshaping.dsp.mp.microsoft.com, update.microsoft.com, sls.update.microsoft.com, login.microsoft.com
      SlackWindows: slack.exe. macOS: com.tinyspeck.slackmacgap, com.tinyspeck.slackmacgap.helpern/a
      Spotify
      spotify.com
      Webexatmrg.exe, wmlhost.exe, webexmta.exe, washost.exewebex.com
      ZoomWindows: zoom.exe. macOS: us.zoom.xoszoom.us


      Default Bypass Rules

      The Default Bypass rules prevent any potential issues caused by applications and web services that are known to experience certificate pinning.

      Viewing the Default Bypass Rules
      Users can see the complete list of default Bypass Rules by navigating to Web SecurityBypass Rules.
      Rule NameStatusSourceProgramsDomainsCategories
      Bypass sensitive traffic - Pre-configured
      Disabled



      Financial Services, Government, Health and Medicine, Legal
      Bypass Microsoft updates - Pre-configured
      Enabled

      login.live.com
      settings-win.data.microsoft.com
      vortex-win.data.microsoft.com
      delivery.mp.microsoft.com
      tsfe.trafficshaping.dsp.mp.microsoft.com
      update.microsoft.com
      sls.update.microsoft.com
      login.microsoft.com



      Bypass Adobe updates - Pre-configured
      Enabled


      adobe.com
      adobetag.com


      Bypass Java updates - Pre-configured
      Enabled


      sjremetrics.java.com
      javadl-esd-secure.oracle.com


      Bypass Mozilla Firefox updates - Pre-configured
      Enabled


      download-installer.cdn.mozilla.net

      Bypass AWS console - Pre-configured
      Enabled


      console.aws.amazon.com
      docs.aws.amazon.com
      signin.aws.amazon.com
      signin.aws.amazon.com
      fls-na.amazon.com
      cdn.assets.as2.amazonaws.com
      aws-signin-website-assets.s3.amazonaws.com
      opfcaptcha-prod.s3.amazonaws.com
      d1dgtfo2wk29o4.cloudfront.net
      Images-na.ssl-images-amazon.com


      Bypass Dropbox - Pre-configured
      Enabled


      dropbox.com
      dropboxapi.com
      previews.dropboxusercontent.com
      mmp.getdropbox.com


      Bypass Google services - Pre-configured
      Enabled


      accounts.google.com
      alt2-mtalk.google.com
      android.clients.google.com
      www.google.com
      android.googleapis.com
      cryptauthenrollment.googleapis.com
      device-provisioning.googleapis.com
      digitalassetlinks.googleapis.com
      fcmconnection.googleapis.com
      fcmtoken.googleapis.com
      firebaseperusertopics-pa.googleapis.com
      play.googleapis.com
      semanticlocation-pa.googleapis.com
      lh3.googleusercontent.com
      play-lh.googleusercontent.com
      gstatic.com
      gvt1.com


      Bypass OneDrive - Pre-configured
      Enabled


      cdn.funcaptcha.com
      fpt.live.com
      login.live.com
      odc.officeapps.live.com
      skyapi.policies.live.net
      signup.live.com
      skyapi.live.net
      pipe.aria.microsoft.com
      data.microsoft.com
      svc.ms
      msauth.net
      onedrive.com
      cdn.onenote.net


      Bypass LogMeIn - Pre-configured
      Enabled


      cdngetgo.com
      expertcity.com
      getgo.com
      getgocdn.com
      getgoservices.com
      getgoservices.net
      go2assist.me
      gofastchat.com
      goto-rtc.com
      gotoassist.com
      gotoassist.at
      gotoassist.me
      gotomeet.me
      gotomeet.at
      gotomeet.me
      gotomeeting.com
      gotomypc.com
      gotostage.com
      gototraining.com
      gotowebinar.com
      helpme.net
      accounts.logme.in
      joingotomeeting.com
      jointraining.com
      joinwebinar.com
      logmein.com
      logmeininc.com
      logmeinrescue.com


      Bypass Microsoft Lync and Skype - Pre-configured
      Enabled


      lync.com
      az801095.vo.msecnd.net
      i.s-microsoft.com


      Bypass Apple services - Pre-configured
      Enabled


      p24-keyvalueservice.icloud.com
      apps.apple.com
      itunes.apple.com
      mzstatic.com
      gs-loc.apple.com
      gsa.apple.com
      securemetrics.apple.com
      swscan.apple.com
      xp.apple.com
      icloud.com
      ppq.apple.com
      akadns.net
      mail.me.com

      music.apple.com

      Bypass Bitdefender services - Pre-configured
      Enabled


      cdn.bitdefender.net
      download.bitdefender.com
      login.bitdefender.net
      login.bitdefender.com
      nimbus.bitdefender.net
      push.bitdefender.net
      upgrade.bitdefender.com



      Bypass Zoom - Pre-configured
      Enabled


      zoom.us

      Bypass Webex - Pre-configured
      Enabled


      webex.com

      Bypass Spotify - Pre-configured
      Enabled


      spotify.com



      Was this article helpful?