Skip to main content
fran1942
fran1942
New Member
April 1, 2017
Solved

Deep Packet Inspection pinning ?

  • April 1, 2017
  • 1 reply
  • 15946 views

Hello, I have just implemented Deep Packet SSL Inspection on our Fortigate firewall.

I am finding instances of SSL certificate pinning (HPKP) where I need to make exceptions to the DPI list e.g. *.google.com etc.

This fixes the problem.

What I am finding strange is how some of the sites I need to make exceptions for do not 'seem' to be using HPKP pinning (or HSTS.

For example, I look within Chrome browser 'chrome://net-internals/#capture' I do not see any entries for those particular sites using pinning or HSTS (HTTP strict transport security). Also when I do lookups to public SSL verification sites they say there are no HPKP or HSTS headers being used on that site.

Why would this be ?

Could it be to do with the fact that some sites aggregate content from many other sites and perhaps one of those sites is using HPKP or HSTS headers ?

The other strange issue is that sometime these problem sites work for users and sometimes they don't. Could this related to the above, in that these sites may be dynamically and variably pulling content from third party sites that use HPKP or HSTS headers ?

Has anyone else encountered this sort of issue ?

Thanks kindly.

    Best answer by hmtay_FTNT

    Hi fran1942,

     

    >>I am finding instances of SSL certificate pinning (HPKP) where I need to make exceptions to the DPI list e.g. *.google.com etc.

     

    Did you use a self-signed certificate or a certificate signed by a trusted third party CA? You would also get different results with different browsers. For example, Mozilla I believe in one of the release have the security.cert_pinning.enforcement_level set to 2 by default. However, since then, they have set it back to 1 which is the same as the default Chrome settings. The current default settings for both Chrome and Firefox allows MiTM if the trust anchor is a self-signed CA installed by the user.

     

    https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

     

    https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

     

    In both browsers too, only very little sites do certificate pinning. This is a key point with browsers vs stand alone applications. Due to the fact that there are too many HTTPS sites that can be accessed, it is not possible for browsers to pin all the certificates to the browser. Thus, you are unlikely to see much certificate pinning errors with a browser. Only certain sites like the Google sites, Twitter, etc have the keys hardcoded in the browser list. With a standalone application, certificate pinning is easily do-able since it does not have to cover such a big range of sites. 

     

    The browser settings could be one reason why some sites work sometimes and not other times. In any case, if you are using a self-signed certificate and you have imported the certificate into the trusted root CA list, you should not run into any problems on the browsers unless you are using Firefox and have the cert_pinning.enforcement_level set to 2. On my environment, I have no problem doing deep-inspection on Google sites. 

     

    Let me know if you have more questions! Thanks.

     

    HoMing

    1 reply

    hmtay_FTNT
    Staff
    hmtay_FTNTAnswer
    Staff
    April 2, 2017

    Hi fran1942,

     

    >>I am finding instances of SSL certificate pinning (HPKP) where I need to make exceptions to the DPI list e.g. *.google.com etc.

     

    Did you use a self-signed certificate or a certificate signed by a trusted third party CA? You would also get different results with different browsers. For example, Mozilla I believe in one of the release have the security.cert_pinning.enforcement_level set to 2 by default. However, since then, they have set it back to 1 which is the same as the default Chrome settings. The current default settings for both Chrome and Firefox allows MiTM if the trust anchor is a self-signed CA installed by the user.

     

    https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

     

    https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

     

    In both browsers too, only very little sites do certificate pinning. This is a key point with browsers vs stand alone applications. Due to the fact that there are too many HTTPS sites that can be accessed, it is not possible for browsers to pin all the certificates to the browser. Thus, you are unlikely to see much certificate pinning errors with a browser. Only certain sites like the Google sites, Twitter, etc have the keys hardcoded in the browser list. With a standalone application, certificate pinning is easily do-able since it does not have to cover such a big range of sites. 

     

    The browser settings could be one reason why some sites work sometimes and not other times. In any case, if you are using a self-signed certificate and you have imported the certificate into the trusted root CA list, you should not run into any problems on the browsers unless you are using Firefox and have the cert_pinning.enforcement_level set to 2. On my environment, I have no problem doing deep-inspection on Google sites. 

     

    Let me know if you have more questions! Thanks.

     

    HoMing

    fran1942
    fran1942Author
    New Member
    April 2, 2017

    Hello, thank you for that information.

    So to summarise, what sort of things apart from key pinning can cause deep packet inspection to fail ?

    n.b. I do have a self-signed cert which we have distributed to all computers in our company.

     

    fran1942
    fran1942Author
    New Member
    April 2, 2017

    ...additionally, how do I completely disable pinning in Chrome, because unless I make a DPI exception, then Google sites definitely do fail e.g. Google Drive.

    Terms & ConditionsAccessibility statement