Overview
Some common applications such as Facebook, Instagram and Snapchat do not work as an application on Securly SmartDNS or SmartPAC filtering but the web versions do work via Safari or Chrome.
Cause
The cause of this issue is that Securly SmartPAC and SmartDNS will inspect all traffic to the application servers. The traffic which we return to the device has been re-encrypted with the Securly SSL certificate which the applications do not accept.
This is due to a concept called certificate pinning where the application or operating system will only accept a preconfigured certificate. As Securly SmartPAC and SmartDNS perform MiTM inspection on these applications and services and re-encrypt with our own certificate the certificate we provide is not accepted and applications either do not load or do not operate as expected.
Solution
The solution to get applications that use certificate pinning to work is to add the endpoint or domains that the application uses to the Global Allow list.
Note: While this will allow all users to access the domains and services which are added, there is no way for the two technologies (Certificate Pinning and MiTM) to co-exist as certificate pinning is used to protect against malicious or unwanted MiTM inspections and while the breaking of connections is unhelpful, it is expected, when these two technologies are used at the same time.
Comments
Please sign in to leave a comment.