What is Certificate Pinning?
Certificate Pinning is the process by which native applications validate that a certificate provided by the server matches a known set of rules and conditions to ensure the integrity of data in transit and prevent unwanted sniffing of traffic by a bad actor attempting to perform a man-in-the-middle attack.
Those applications will treat all other certificates as invalid, and the TLS connection will be refused.
How does it affect my users?
If your organization uses Secure Web Gateway (SWG), the Harmony SASE agent will utilize TLS inspection to prevent questionable sites from obfuscating malicious payloads within encrypted traffic. During this process, our system issues certificates signed by Harmony SASE. As a result, applications that utilize Certificate Pinning may deem those certificates invalid and fail to create a TLS connection.
What to do?
SWG should be configured to bypass applications known to utilize certificate pinning.
Applications can be bypassed using the following methods:
- Using the process name of the application
- A specific domain the application may be accessing
- A combination of the above methods.
To get the exact process name, you will need to do the following:
Windows: Open the Task Manager and search for the application. The Program name is under the Details tab.
Copy the exact process name.
MacOS:
- Go to the Activity Monitor > Inspect selected process > Sample > Binary Images section > first item in the list.
- Open Finder > Applications > Show Package Contents > Contents/Info.plist > Grab the string after the CFBundleIdentifier key.
Linux:
Use this command:
ps aux | grep app_name
Note that the application process name to be used for bypass rule should be only the binary name itself.
Here are some examples of applications which use Certificate Pinning and bypass criteria for them:
| Application | Program | Domain |
|---|---|---|
| Adobe Suite (including Acrobat Reader, Creative Cloud and software updates) | n/a | Fill in these domain lists: List 1, List 2 |
| Apple's iMessages, iTunes, App Store, Mail | n/a | p24-keyvalueservice.icloud.com, apps.apple.com, itunes.apple.com, mzstatic.com, gs-loc.apple.com, gsa.apple.com, securemetrics.apple.com, swscan.apple.com, xp.apple.com, icloud.com, ppq.apple.com, akadns.net, mail.me.com |
AWS Console | n/a | console.aws.amazon.com, docs.aws.amazon.com, signin.aws.amazon.com, signin.aws.amazon.com, fls-na.amazon.com, cdn.assets.as2.amazonaws.com, aws-signin-website-assets.s3.amazonaws.com, opfcaptcha-prod.s3.amazonaws.com, d1dgtfo2wk29o4.cloudfront.net, Images-na.ssl-images-amazon.com |
| Bitdefender | n/a | cdn.bitdefender.net, download.bitdefender.com, login.bitdefender.net, login.bitdefender.com, nimbus.bitdefender.net, push.bitdefender.net, upgrade.bitdefender.com |
| DropBox | Windows: dropbox.exe, dropboxupdate.exe. macOS: com.getdropbox.dropbox | n/a |
| Evernote | evernote.exe | announce.evernote.com, cd1.evernote.com, evernote-a.akamaihd.net, www.evernote.com |
| Google Drive | Windows: googledrivesync.exe, GoogleDriveFS.exe. macOS: com.google.drivefs, com.google.drivefs.finderhelper.findersync | n/a |
Google Services | n/a | accounts.google.com, alt2-mtalk.google.com, android.clients.google.com, www.google.com, android.googleapis.com, cryptauthenrollment.googleapis.com, device-provisioning.googleapis.com, digitalassetlinks.googleapis.com, fcmconnection.googleapis.com, fcmtoken.googleapis.com, firebaseperusertopics-pa.googleapis.com, play.googleapis.com, semanticlocation-pa.googleapis.com, lh3.googleusercontent.com, play-lh.googleusercontent.com, gstatic.com, gvt1.com, |
Java Updates | sjremetrics.java.comm, javadl-esd-secure.oracle.com | |
| LogMeIn | logmein.exe | Fill in this domain list |
| Microsoft Defender | n/a | Fill in this domain list |
Microsoft Lync and Skype | lync.com, az801095.vo.msecnd.net, i.s-microsoft.com | |
| Microsoft Office365 | Configure within Office365 under Policy > URL & Cloud App Control > Advanced Settings | For Outlook, please add the following domains: office365.com, office.net, office.com |
Microsoft OneDrive | n/a | cdn.funcaptcha.com, fpt.live.com, login.live.com, odc.officeapps.live.com, skyapi.policies.live.net, signup.live.com, skyapi.live.net, pipe.aria.microsoft.com, data.microsoft.com, svc.ms, msauth.net, onedrive.com, cdn.onenote.net |
| Microsoft Windows Store | n/a | eus-streaming-video-msn-com, wns.windows.com, live.com, clientconfig.passport.net, wustat.windows.com, windowsupdate.com, msftncsi.com, microsoft.com |
| Microsoft Updates | n/a | login.live.com, settings-win.data.microsoft.com, vortex-win.data.microsoft.com, delivery.mp.microsoft.com, tsfe.trafficshaping.dsp.mp.microsoft.com, update.microsoft.com, sls.update.microsoft.com, login.microsoft.com |
| Slack | Windows: slack.exe. macOS: com.tinyspeck.slackmacgap, com.tinyspeck.slackmacgap.helper | n/a |
| Spotify | spotify.com | |
| Webex | atmrg.exe, wmlhost.exe, webexmta.exe, washost.exe | webex.com |
| Zoom | Windows: zoom.exe. macOS: us.zoom.xos | zoom.us |
Default Bypass Rules
The Default Bypass rules prevent any potential issues caused by applications and web services that are known to experience certificate pinning.
| Rule Name | Status | Source | Programs | Domains | Categories |
|---|---|---|---|---|---|
| Bypass sensitive traffic - Pre-configured | Disabled | Financial Services, Government, Health and Medicine, Legal | |||
| Bypass Microsoft updates - Pre-configured | Enabled | login.live.com | |||
| Bypass Adobe updates - Pre-configured | Enabled | adobe.com | |||
| Bypass Java updates - Pre-configured | Enabled | sjremetrics.java.com | |||
| Bypass Mozilla Firefox updates - Pre-configured | Enabled | download-installer.cdn.mozilla.net | |||
| Bypass AWS console - Pre-configured | Enabled | console.aws.amazon.com | |||
| Bypass Dropbox - Pre-configured | Enabled | dropbox.com | |||
| Bypass Google services - Pre-configured | Enabled | accounts.google.com | |||
| Bypass OneDrive - Pre-configured | Enabled | cdn.funcaptcha.com | |||
| Bypass LogMeIn - Pre-configured | Enabled | cdngetgo.com | |||
| Bypass Microsoft Lync and Skype - Pre-configured | Enabled | lync.com | |||
| Bypass Apple services - Pre-configured | Enabled | p24-keyvalueservice.icloud.com apps.apple.com itunes.apple.com mzstatic.com gs-loc.apple.com gsa.apple.com securemetrics.apple.com swscan.apple.com xp.apple.com icloud.com ppq.apple.com akadns.net mail.me.com music.apple.com | |||
| Bypass Bitdefender services - Pre-configured | Enabled | cdn.bitdefender.net | |||
| Bypass Zoom - Pre-configured | Enabled | zoom.us | |||
| Bypass Webex - Pre-configured | Enabled | webex.com | |||
| Bypass Spotify - Pre-configured | Enabled | spotify.com |