Web traffic encryption (AKA SSL, TLS, HTTPS) has long been the norm for most web services, particularly so for corporate SaaS applications such as Salesforce, Microsoft Outlook 365, and Skype. To help protect this traffic from eavesdropping and potential sensitive data exposure, end-to-end encryption is a critical and effective security measure for reducing risk.
Organizations, however, are facing a much wider array of threats, including ransomware and other forms of web-borne malware, data breaches and more. To address this, security tools such as URL filtering, anti virus, sandbox, Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB), to name a few, are deployed and put in charge of inspecting all web traffic.
While most security professionals feel the right mix of security tools is going to keep their users and organizations safe, a widely prevalent practice called “certificate pinning” prevents these tools from delivering the protection they have been entrusted with.
What is certificate pinning and how does it put your organization at risk?
Network security tools implement their protections by inspecting web traffic as it flows through them. For encrypted traffic this requires them to decrypt it in order to gain the visibility they need. Most security tools solve this by performing what is known as SSL inspection. Without getting too technical, we’ll just say this is commonly done using self-signed certificates and a technique known as man-in-middle. For the most part this works pretty well, until they come across a service using certificate pinning. Again, without diving too deep, certificate pinning is a mechanism used by web services to avoid man-in-the-middle inspection, which causes any such attempts to terminate the connection and prevent users from doing their jobs, causing frustration and impacting business.
The only way to enable such services is to bypass SSL Inspection, rendering your security products useless and leaving your users exposed to threats.
How common is the use of certificate pinning? It is used by all services mentioned above: Salesforce, Microsoft 365 Outlook, and Skype, as well as many other commonly used business applications: Dropbox, Google Drive, Webex Teams, Amazon Drive, DocuSign, and many more.
Security vendors are very aware of this shortcoming and have devised solutions which do not rely on SSL inspection. The solutions are API-based, and without going into too much detail, we’ll just say that they have two very critical drawbacks. The first one is that they don’t provide real-time protection. They rely on an alert to be sent from the SaaS provider which needs to be viewed, analyzed and only then acted upon. This can take anywhere from minutes to hours and sometimes days, at which point it is typically far too late to stop a breach.
Secondly, this solution can only be applied to sanctioned SaaS applications which the company is aware of and has deployed the solution for. With more than 85% of SaaS applications being unsanctioned, this leaves a significant portion of the SaaS attack surface completely uncovered even for after-the-fact alerts.
API-based solutions are clearly far from ideal in delivering the security your organization needs.
How can we overcome certificate pinning?
The problem lies in the man-in-the middle approach traditional tools use. This is true for solutions delivered as edge-deployed appliances, physical or virtual, as well as cloud-delivered services (e.g. cloud SWG, CASB, SSE/SASE).
By moving the deployment location into the browser itself, we are able to overcome this limitation. As the browser has visibility into outbound traffic before it is encrypted, and inbound traffic after it has decrypted, inspecting traffic at this point of intersection enables the insight needed to effectively detect and block threats. This enables complete security coverage with real time protection for all web traffic, including for services using certificate pinning.
Placing web security within the browser has many other benefits, including improved performance and user-experience, as traffic can be sent directly to its destination, also visibility into browser components such as risky extensions, and visibility into unsanctioned user actions within the browser such as copy-pasting sensitive data as well as entering it into Gen AI tools. It also provides TCO benefits by reducing the number of solutions needed and eliminating the need for supplementary solutions such as API-base security.
LayerX Enterprise Browser Extension natively integrates with any browser, turning it into the most secure and manageable workspace. Enterprises use LayerX to secure their devices, identities, data, and SaaS apps from web-borne threats and browsing risks, such as data leakage over the web, SaaS apps and GenAI Tools, malicious browser extensions, phishing, account takeovers, and more.
Request a demo of LayerX here
