Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
0
Replies

Deep packet inspection

tedauction
Level 1
Level 1

‎04-01-2017 08:25 PM - edited ‎03-12-2019 02:09 AM

Hello, I have just implemented Deep Packet SSL Inspection on our firewall
I am finding instances of SSL certificate pinning (HPKP) where I need to make exceptions to the DPI list e.g. *.google.com etc. This fixes the problem.
What I am finding strange is how some of the sites I need to make exceptions for do not 'seem' to be using HPKP pinning (or HSTS).
For example, I look within Chrome browser 'chrome://net-internals/#capture' I do not see any entries for those particular sites using pinning or HSTS (HTTP strict transport security). Also when I do lookups to public SSL verification sites they say there are no HPKP or HSTS headers being used on that site. Why would this be ?
Could it be to do with the fact that some sites aggregate content from many other sites and perhaps one of those aggregated sites is using HPKP or HSTS headers ?
The other strange issue is that sometime these problem sites work for users and sometimes they don't. Could this related to the above, in that these sites may be dynamically pulling content from different third party sites that use HPKP or HSTS headers ?
Has anyone else encountered this sort of issue ?
Thanks kindly.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card