If you’re wondering “Is it safe for me to implement SSL certificate pinning on my website?” then this article is a must-read for you!
As a website owner or webmaster, you always want to make sure your website is secure. You are ready to implement every possible technique to keep bad guys at bay. One of the security concepts you might have come across is SSL certificate pinning, and now you’re here to learn more about it.
In this article, we’ll cover SSL certificate pinning in an easy-to-understand way. We’ll also cover the benefits and flaws of this process so that you can decide whether SSL pinning is right for your website. (Spoiler alert: SSL certificate pinning isn’t a recommended practice and may result in more harm than good.)
What Is SSL Certificate Pinning? A Definition
SSL certificate pinning is a process that aims to limit risk by associating a site’s identity with specific certificates. Basically, it tells a client (browser) to accept connections from ONLY with hosts (websites, apps) whose SSL certificate meets specific criteria and reject the rest. For example, it must use a specific public key or be issued by a specific certificate authority.
The goal of SSL pinning is to avoid social engineering-related attacks and prevent customers’ data from being sent to the wrong server. However, not everything about it is perfect, which is why SSL pinning is no longer a recommended practice. But we’ll speak more to that a little later.
In SSL pinning, you instruct the browsers to trust your website only if it:
- Uses an SSL/TLS certificate that’s issued by a particular certificate authority (CA).
- Has a specific cryptographic public key, commonly known as HTTP public key pinning (HPKP).
- Has a particular intermediate certificate.
That means you are pinning the website’s identity with a predefined cryptographic attribute. When web browsers see a pinned certificate, they’ll consider any other identity (CA or public key) invalid and deny the connection. The idea here is that if a hacker tries to manipulate an HTTPS connection or SSL certificate, your browser will recognize it and block the website access.
Certificate pinning has been used for everything from internet connections and software to apps and IoT devices. But to truly understand certificate pinning, you need to have a basic understanding of how the SSL/TLS works and attaches a unique cryptographical identity to a website. Please check out article on how HTTPS works if you need to brush up on some basic concepts before moving forward.
How to Use SSL Certificate Pinning
As a website owner or webmaster, you can implement SSL pinning by integrating codes in the header. You also need to specify the “max-age”, which means the amount of time that browsers should consider a particular cryptographical identity valid. (The max-age is typically specified in seconds but may total anywhere from a few second to even a year.)
When the browser connects to your server for the first time, it will save the pinned public key (or its hash value), or the CA you have specified in its records. Now, every time the browser connects to that website, it will trust only predefined attributes from its records up until the specified max-age. If the criterion is mismatched, site visitors will get an error page that’s almost impossible to bypass.
Is SSL Certificate Pinning Necessary
Although certificate pinning isn’t now something that browsers or CAs recommend, it used to be considered a good idea. But why? Because there are three main threats related to SSL/TLS certificates that SSL pinning tries to address.
1. Certificate Authority Compromise
Any certificate authority can issue an SSL certificate for any domain name. Once the certificate has been issued, all the relying parties — the server and all the major browsers — would trust it.
But what if the CA’s server gets hacked or their private keys get compromised? Note: This is a rare issue. But if it does happen, attackers can issue an SSL certificate for any domain name, attaching their own server’s public key and private key. They can send, receive, decrypt, and steal the data impersonating the original website.
In August 2011, an unknown attacker hacked Dutch certificate authority DigiNotar and issued a fraudulent certificate for google.com and its subdomains.
If such things happen again — and if you have pinned your certificate authority or the public key — then the browser won’t trust any certificate that:
- Is issued by another CA, or
- Contains a different public key.
2. Certificate Mis-Issuance
If cybercriminals disguise themselves as legit domain owners and convince a CA to tie the wrong public-private key set in a domain name’s SSL certificate, then all the customers’ data will be transferred to the hacker’s server. In a same way, certificate mis-issuance might take place due to a bug in the CA’s system or by an employee mistake.
For example, Symantec issued a faulty SSL/TLS certificate for google.com and www.google.com in 2015. It was an extended validated (EV) certificate, which is considered to be one of the most trustworthy certificate types. Google detected the mis- issuance via its certificate transparency mechanism. Symantec’s intension was not to defraud Google and the mis-issuance was a mistake that happened during Symantec’s internal testing process.
3. SSL Stripping
SSL stripping is a man-in-the-middle attack technique that leaves your data vulnerable to interception and manipulation. In this attack, an attacker sits between a user and the website and uses an SSL strip tool to force the browser to load the website via the insecure HTTP protocol. That means, whenever the browser tries to connect to a website, the attacker downgrades the connection to establish an insecure HTTP connection between the browser and themselves.
The connection between the website visitor and the hacker is HTTP, but the hacker and website’s server connection is HTTPS. So, what this means is that the attacker can steal all the user’s data because it remains in plaintext format in the HTTP channel. But the server doesn’t realize what’s happening because it’s showing an HTTPS connection on its end.
In SSL stripping, if the certificate/public key is not pinned, the browser just displays a “not secure” sign in front of the domain name in the address bar or shows an error page, which users can easily bypass. But if the SSL is pinned, the browser gets alerted if it can’t find the pinned SSL attributes in the website’s header. If browsers can’t establish a secure HTTPS connection with the predefined attributes, it will show an error page that website visitors can’t bypass.
The Disadvantages of SSL Certificate Pinning
SSL pinning sounds so cool on the surface, right? But just like other technologies and processes, it isn’t perfect and has some serious downsides when not properly implemented. Here are just a handful of reasons why SSL certificate pinning is no longer a recommended practice. Google and Firefox both have also moved away from public key pinning back in 2018.
1. Lack of Flexibility in the Event of Private Key Compromise
If you have pinned a public key in your SSL header, all the browsers and apps have recorded that key in their cache. But what if its corresponding private key gets compromised? If a hacker gets into your hosting site and steals the private key or your employee accidentally leaks it, you must get your SSL certificate revoked and install a new one immediately. That means, you’ll receive a new set of public and private keys.
But the browsers have already recorded the old key and won’t trust the replacement public key until the “max-age” expires. So, when the browser finds a new public key in the header, it would consider it a cyber attack and won’t let your website visitors open your website.
(However, to reduce the risk, the website owner can install more than one backup SSL certificate on their server and pin several public keys. So, if one certificate is revoked, the backup SSL certificate automatically takes its place, whose public key is already included and pinned in the header.)
2. Changes in the Certificate
The Certificate Authority/Browser Forum (CA/B Forum) keeps changing the technical specifications and guidelines for the SSL/TLS certificates and all publicly trusted CAs must adhere to them. That means if CAs have any of the following concerns, then browsers would distrust their SSL/TLS certificates:
- Have issued a certificate with obsolete technology,
- Have a bug in their system
- Are found guilty of any rule violation, or
- Their private key (intermediate certificate’s private key) gets compromised.
In such an event, the CA must revoke the distrusted/obsolete certificates and issue new certificates for their customers. In the past, certificate authorities like Symantec, RapidSSL, GeoTrust, Thawte, and Let’s Encrypt have faced such revocation issues. If your certificate gets revoked, you’ll be handed a new set of public/private keys with a replacement certificate. But the browsers won’t recognize the new key and will block the connections.
3. If You Pin the Wrong Key, It Can Cause a Lot of Lasting Damage
Breaking into a weakly protected hosting account isn’t that difficult. If your credentials are compromised, or if attackers deploy brute-force attacks, they can hack your hosting account and the server where the website is hosted. So, if you haven’t pinned any certificate, or if the max-age has passed and you haven’t re-pinned anything, an attacker can pin their public key to your website’s headers. This results in diverting all of your website traffic to the attacker’s servers.
Conclusion on SSL Certificate Pinning
SSL pinning surely provides some benefits. But it’s not something that’s recommended and site owners who choose to do it do so at their own risk. The configuration is complicated and there is a lack of flexibility even if you have a legit reason to change the pinned criteria. Basically, if
- Your private key is compromised,
- You want to change the CA or the certificate,
- The certificate gets revoked for any reason, or
- Attackers have pinned the wrong keys
there isn’t any easy way to tell the browsers and apps that “Hey, from now onwards, trust X keys/CA/certificate instead of Y”!
It can be quite costly for a public-facing website to lose the hard-earned web traffic. Implementing SSL certificate pinning on an intranet website can be a much wiser decision instead of on public-facing websites.