[yfiapo]

Certificate pinning is used by some very common applications and can break a MITM that relies on a self-signed certificate.

[JoshTriplett]

Then those applications are correctly getting the behavior they desire: either they get a secure connection or they don't connect at all.

[Legogris]

Do you have any example of such applications that would be used by a bank?

[yfiapo]

I don't work for a bank so I can't speak definitively to their applications. A few sample applications I see listed as certificate pinned in Netskope (a CASB) though include:

  Adobe Creative Cloud
  Amazon Work Spaces
  Docusign
  GitHub
  Google Drive
  GoToMeeting
  iCloud
  Microsoft Office 365 Outlook.com
  Microsoft Skype for Business
  Salesforce.com

Note this typically refers to native applications and plugins which also connect over TLS and not web applications.

[Legogris]

My suspicion was that any such applications have a web version.

I'm a bit surprised by Skype for Business (horrible product BTW, it's a gamble to even be able to sign in on a fresh install) though, the rest I would expect people to use web versions of.

I would think that (perhaps coincidentally), the organizations that require these kinds of insights are not the ones that are relying on services that do cert pinning. And if they do, they can but the marketing department/the server running THAT wonky old software from the 90s in a separate subnet.

[Dylan16807]

Isn't that exactly the same between TLS 1.2 and 1.3? They won't have the private keys for google drive. How are those handled today?

[goda90]

Are those common applications necessary for their business operations though? They could just blacklist them entirely.

[vetrom]

besides, many of those applications depin when you install custom CAs, don't they?