Hi guys! I have some TLS decryption questions and issues I need some clarification on.
I’ve been using Zero Trust now with TLS decryption for some time and for the most part, it is working well, however not the case on mobile devices.
I find that for mobile devices, a lot of applications do not load. Things like facebook, banking apps etc. Is there a way to resolve this? This is not the case on desktop browsers.
Failing that, I would need to setup a policy to Do Not Decrypt for mobile devices.
This is most likely due to certificate pinning. You cannot and should not intercept TLS traffic for these apps. You will need to create a “Do Not Decrypt” policy for these domains.
Certificate pinning is not possible in desktop browsers because websites have no way of telling the client which certificates to trust. This is in contrast to first-party apps which can embed the certificates in the binary.
Why is this?
Whats the reason that it should not be decrypted for these?
When you MitM/decrypt a TLS connection, the contents of that connection can be read and modified by Cloudflare and, depending on the setup, you as the account admin.
This includes all kind of sensitive information such as login credentials, messages, banking information and such.
To make it very clear: intercepting and decrypting traffic made by a banking app could in theory allow you to to make bank transfers on behalf of the user and drain their account.
Certificate pinning is there for a very good reason.