What is certificate pinning?

305    Asked by ananyaPawar in Cyber Security , Asked on Feb 28, 2022

 I'm superficially familiar with SSL and what certs do. Recently I saw some discussion on cert pinning but there wasn't a definition. A DDG search didn't turn up anything useful. What is certificate pinning?

Answered by Andrea Bailey

Certificate pinning allows bypassing standard certificate authority chains to mitigate the risk of a valid certificate being issued to a criminal. Motivation for a new solution...

SSL/TLS certificates are signed by other certificates. Browsers normally recognize a certificate as valid when in some point of this signature chain a trusted entity is found. The signatures of the trusted entities come in the basic installation of the operating system and browsers. It is an embedded list of about 100 entities. If one of the trusted certificate authorities is compromised or if the certificate authority is a victim of a fraud they can issue a valid certificate to a criminal. The criminal will have a perfect SSL/TLS certificate in your name. The criminal will be able to make successful and believable "man in the middle" attacks. The user will see a valid certificate info to your website. Also, it is not difficult to convince the user to install a new trusted certificate authority. For instance, in Brazil, the official certificate authority is not recognized by the main browsers and everyone has to install an additional certificate authority. Browsers got very good at this: only click on a link and answer yes. To reach this level of usability I believe this is a common task worldwide. The certificate authorities can not be fully trusted. The process to get a certificate is by no means secure. I already bought one in a company and did not pay much more than to pay for it. Of course it is way better than nothing. But needs improvement.

What is pinning?

On the first access to the website secure.example.com, the website send a hidden message to the client browser that loosely translates as:

  "In the next N days the secure.example.com website will use the certificate CECECECE. In that period do not accept another certificate, even if the certificate authority claims it is valid for this website. If it happens, notify me at http://100.200.100.200/callbacks/warn_pinning.php".

Pinning solves the problem? It does not solve the weakness of the certificate authorities certificate signing process. But minimise the window of opportunity of a criminal to get by with a man in the middle attack. The attack will only work if the user gets his or her first access to the website.

It is similar to the SSH security. On first access the signature of the key of the server is saved. If in future access the identification does not match the system generates a warning. The warning is taken seriously because it only happens when you make real changes. The best thing for a big company is to get notified through clients complaints that someone has issued a real TLS/SSL certificate in their name to a criminal. As I understand the pinning mechanism was proposed by Google Application Level Pinning Pinning can also be made outside the browser, by compiling the real certificate fingerprint in an app.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com