When you browse the web or use an online service that uses HTTPS, you want to make sure that your connection is safe and encrypted. You also want to make sure that the website or service you are connecting to is genuine and reliable. But how can you verify that these conditions are met? One way to ensure that your connection is safe and genuine is to use a technique called certificate pinning.
What is certificate pinning?
Certificate pinning is a method of verifying the identity and legitimacy of a web server by checking its digital certificate against a pre-defined list of trusted certificates or public keys. If you don’t know what the digital certificate is, we explain much about it in another article and we also explain why is it important. To make it easier for you, a digital certificate is a document that contains information about the web server, such as its domain name, owner, issuer, expiration date, and public key. A digital certificate is issued by a trusted third-party entity called a Certificate Authority (CA), which verifies the identity and ownership of the web server.
Why use certificate pinning?
When you visit a website that uses HTTPS (Hypertext Transfer Protocol Secure), your web browser will request the web server’s digital certificate and compare it with the list of trusted CAs that are stored in your browser or operating system. If the certificate is valid and matches one of the trusted CAs, your browser will establish a secure connection with the web server and display a padlock icon or a green bar in the address bar. This means that the website is authentic and that the data you exchange with it is encrypted and confidential.
However, this process is not foolproof. There are cases where hackers can compromise or impersonate CAs and issue fake or malicious certificates for websites that they control. This can lead to Man-in-The-Middle (MiTM) attacks, where hackers can intercept, modify, or steal your data without your knowledge. For example, if you visit a website that claims to be your bank but has a fake certificate issued by a compromised CA, your browser will not detect any anomaly and will trust the website. The hacker can then access your login credentials, personal information, or financial transactions.
This is where certificate pinning comes in handy. Certificate pinning allows you to specify which certificates or public keys you trust for a particular website or domain name. This way, you can bypass the CA verification process and directly compare the web server’s certificate or public key with your pre- defined list. If the certificate or public key does not match any of your pinned certificates or keys, your browser will reject the connection and display a warning message. This means that the website is not authentic or has been tampered with.
Certificate pinning can help you prevent MITM attacks and improve your web security by ensuring that you are communicating with the legitimate and intended web server. It can also help you detect any changes or errors in the web server’s certificate or configuration, such as expiration, revocation, or misconfiguration.
How does certificate pinning work?
Certificate pinning works by using the concept of public key cryptography. Public key cryptography is a system that uses two types of keys: a public key and a private key. A public key is a code that anyone can use to encrypt data, but only the owner of the corresponding private key can decrypt it. A private key is a code that only the owner knows and uses to decrypt data encrypted with their public key. A private key can also be used to sign data with a digital signature, which can be verified by anyone using their public key.
A digital certificate contains both a public key and a digital signature of the web server. The digital signature is created by using the web server’s private key to sign some information about the certificate, such as its domain name, issuer, expiration date, etc. The digital signature proves that the certificate belongs to the web server and has not been altered by anyone else.
When you visit a website that uses HTTPS, your browser will request the web server’s digital certificate and verify its digital signature using its public key. If the signature is valid, your browser will use the web server’s public key to encrypt the data that you send to it, and the web server will use its private key to decrypt it. Similarly, the web server will use your browser’s public key to encrypt the data that it sends to you, and your browser will use its private key to decrypt it. This way, both parties can exchange data securely and confidentially.
However, as we mentioned earlier, this process can be compromised by hackers who can issue fake or malicious certificates for websites that they control. To prevent this, you can use certificate pinning to specify which certificates or public keys you trust for a particular website or domain name. There are two ways to do this: static pinning and dynamic pinning.
Static pinning
Static pinning is when you hard-code the list of trusted certificates or public keys in your browser or application. For example, if you are developing a mobile app that connects to your own web server, you can embed the certificate or public key of your web server in your app’s code. This way, your app will only accept connections from your web server and reject any other certificates or public keys. Static pinning is more secure and reliable, but it also requires more maintenance and updates whenever the certificates or public keys change.
Dynamic Pinning
Dynamic pinning is when you obtain the list of trusted certificates or public keys from an external source, such as a web service or a file. For example, if you are using a web browser that supports certificate pinning, you can download a file that contains the list of trusted certificates or public keys for various websites or domain names. This file is called a HTTP Public Key Pinning (HPKP) header , and it is sent by the web server along with its certificate. The HPKP header tells your browser which certificates or public keys to trust for a specific website or domain name and how long to cache them. However, [Certificate Transparency](https://binaryte.com/blog/ensuring- trust-the-role-of-certificate-transparency) replaced HPKP support in browsers in 2017, because HPKP mechanism was known tp be too complex and risky to use. Dynamic pinning is more flexible and scalable, but it also depends on the availability and integrity of the external source.
Pros and Cons of certificate pinning
Certificate pinning can provide several benefits for your web security.
**Preventing MITM attacks **
Certificate pinning can help you avoid falling victim to hackers who can intercept, modify, or steal your data by using fake or malicious certificates. By comparing the web server’s certificate or public key with your pre-defined list, you can ensure that you are communicating with the legitimate and intended web server.
Improving security
Certificate pinning can help you improve your security by reducing your reliance on CAs and their verification process. CAs can be compromised, impersonated, corrupted, or coerced by hackers, governments, or other entities. By using certificate pinning, you can bypass the CA verification process and directly trust the web server’s certificate or public key.
Detecting changes or errors
Certificate pinning can help you detect any changes or errors in the web server’s certificate or configuration, such as expiration, revocation, or misconfiguration. By comparing the web server’s certificate or public key with your pre-defined list, you can notice any discrepancies or anomalies that may indicate a security breach or a technical issue.
However, certificate pinning can also pose some challenges for your web security.
Causing compatibility issues
Certificate pinning can cause compatibility issues with some browsers, applications, platforms, or devices that do not support it or have different implementations of it. For example, some browsers may not support HPKP headers or may have different ways of handling them. Some applications may not be able to access some websites that use certificate pinning because they do not have the required certificates or public keys. Some platforms or devices may have different policies or restrictions on how they store or manage certificates or public keys.
Creating maintenance overhead
Certificate pinning can create maintenance overhead for both web servers and clients. Web servers need to update their certificates or public keys regularly and ensure that they are consistent and compatible with their clients. Clients need to update their list of trusted certificates or public keys frequently and ensure that they are valid and accurate. Both parties need to handle any errors or exceptions that may occur due to certificate pinning.
Introducing risks
Certificate pinning can introduce risks if not implemented properly or securely. For example, if a web server’s certificate or public key is compromised or stolen by hackers, they can use it to impersonate the web server and bypass the certificate pinning mechanism. If a client’s list of trusted certificates or public keys is corrupted or tampered with by hackers, they can use it to trick the client into trusting fake or malicious websites.
Conclusion
Certificate pinning is a technique that can help you boost your web security
by verifying the identity and authenticity of a web server by checking its
digital certificate against a pre-defined list of trusted certificates or
public keys. Certificate pinning can help you prevent MITM attacks, enhance
security, and detect changes or errors in the web server’s certificate or
configuration. However, certificate pinning can also cause compatibility
issues, create maintenance overhead, and introduce risks if not implemented
properly
or securely.