Overview
Certificate Pinning is a security mechanism that binds an application to a specific SSL/TLS certificate or a set of certificates. It helps prevent Man-in-the-Middle (MITM) attacks by rejecting connections that do not match the pinned certificate. However, this can interfere with legitimate SSL inspection tools like Zscaler, which act as intermediaries to inspect encrypted traffic for security threats.
This KB outlines how certificate pinning works, its challenges for Zscaler SSL inspection, and potential bypass techniques.
What is Certificate Pinning?
Certificate Pinning involves embedding the expected SSL/TLS certificate (or its hash) within an application. When the application connects to a server:
- It verifies the server’s certificate against the pinned value.
- If there’s a mismatch, the connection is blocked.
Pinning is common in banking apps, high-security websites, and some enterprise systems.
Impact on Zscaler SSL Inspection
Zscaler intercepts HTTPS traffic by presenting its own intermediate certificate to the client. For pinned applications, the Zscaler certificate doesn’t match the pinned value, causing the application to fail.
Steps to Bypass Certificate Pinning
1. Using Zscaler Bypass Rules
The easiest and most compliant method involves bypassing SSL inspection for specific applications.
- Identify the Application: Determine the application or URL that uses certificate pinning.
- Create a Bypass Rule in Zscaler:
- Go to the Zscaler Admin Portal.
- Navigate to Policy > SSL Inspection > SSL Bypass Rules.
- Add the domain, IP address, or URL regex pattern to bypass SSL inspection.
- Go to the Zscaler Admin Portal.
Limitations:
- Traffic is not inspected, reducing visibility.
- Might not work if the application uses multiple domains.
Best Practices
- Use SSL inspection bypass rules only when absolutely necessary.
- Document and monitor all exceptions for auditing purposes.
- Educate users on the implications of SSL inspection and pinning.
- Regularly review and update Zscaler rules to minimize bypasses.