There has been a staggering growth of mobile applications (“apps,” also referred to herein as client apps, mobile client apps, etc.) in the enterprise networking landscape (and everywhere). Most of these mobile apps are designed to communicate with dedicated servers that makes them agnostic of the network path and network devices which in their communication journey. Secure Socket Layer (SSL) is the most widely used protocol by such apps to ensure a degree of security over the otherwise insecure channel. The SSL protocol uses public key cryptography to authenticate the identity of the communicating parties. The security model to achieve this usually relies on a set of trusted Certificate Authorities (CAs) that makes these communications vulnerable to weaknesses in CAs.
The mobile client apps only accept public key server certificates that are signed by a trusted CA. To make this requirement more stringent, certain apps require the server provided certificates to match predefined criterion, referred to as certificate pinning. This is done to ensure greater control over the communicating entities and to prevent the Man in the Middle (MITM) attacks. The situation is somewhat of a paradox: entities such as Domain Name Systems (DNS) and CAs are trusted and supposed to supply trusted input. However, more and more applications are trying hard with pinning to eliminate this conference of trust. By pinning the certificate or the public key of the server certificate, an application no longer needs to depend on third party entities such as DNS, CA, etc. when making security decisions relating to a peer's identity. This makes an app immune to MITM attacks. Pinning effectively removes the “conference of trust” by eliminating the set of entities that are beyond the control of a domain owner. Mobile apps achieve this by accepting server certificates that strictly match a defined criterion, usually subject key information.
While this does solve some security concerns that app developers may have; however, it engenders some serious challenges to enterprise security. These mobile apps inevitably fail in network stringent enterprise environments that are heavily militarized using firewalls, packet filters, proxies, and network access controls. The enterprise security measures impose several constraints on the network traffic that often disrupts mobile application communication channel. With attacks vector utilizing more and more encrypted channels to deliver malicious programs and compromise user devices, many enterprises deploy filtering solutions as a strategy to combat data loss prevention.
One of the major security measures employed by the enterprises is an interception proxy, e.g., the Secure Socket Layer (SSL) interception proxy. The proxy servers employed in enterprise security systems are aware of the SSL encrypted communication and may need to intercept it in order to provide security services. Such filtering solutions are generally achieved through interception proxies that engage in deep packet inspection to resist SSL-based threats that may range from trivial viruses to sophisticated ransomware. The problem when mobile apps employ certificate pinning is that they reject the connection during negotiation with an interception proxy on account of peer's (in this case SSL proxy) untrusted certificate.
Such apps fail to function in the enterprise environment and fail to provide desired services leading to bad user experience and frustration. The apps would be rendered dysfunctional partially or completely due to the certificate pinning employed by them. They will terminate the connection upon receiving a server certificate from the proxy that does not match the criterion. This leads to a bad user experience and the cloud security system does not have any visibility or resolution of such issues.
As more and more viruses use encrypted channels to infect machines, it is imperative for enterprises to employ SSL interception proxies to protect users. This poses a conundrum as app developers would like to eliminate trust on third parties like CAs which may be vulnerable to other attacks. To solve this issue, an Information Technology (IT) admin may be lured to turn SSL interception off which makes their enterprise security even worse. Hence, it is desirable for IT admins to selectively turn SSL interception off only for some trusted applications and domains. Since it is very hard for IT admins to know apriori which apps users will use or what domains the app may hit which may even change over time, there is a huge need for a better tunneling solution.
The cloud security systems that intercept the traffic from endpoint devices in order to provide security and compliance services have little or no idea about the dysfunctional client apps. The client apps terminate the connection with or without an alert message to the server upon receiving the mismatched certificate. Further, the IT admin has no way to find all the apps and their server domains for which the app performs pinning. As a result, this design does not allow the users to use such apps while subscribing to the security or enterprise compliance policies. In order to make these apps functional again, the cloud systems need to identify the certificate pinned hosts and add them to some bypass list for SSL interception. This process is not only difficult but also requires manual intervention from the IT admin to identify a list of trusted domains for which the enterprise is willing to forgo SSL interception.