![\"Graphic](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/04\/bigstock-223372087-1024x640.jpg\")
<\/figure>\n\n\n\nSSL certificate pinning is a process that aims to limit risk by associating a site\u2019s identity with specific certificates. Basically, it tells a client (browser) to accept connections from ONLY with hosts (websites, apps) whose SSL certificate meets specific criteria and reject the rest. For example, it must use a specific public key or be issued by a specific certificate authority.<\/p>\n\n\n\n
The goal of SSL pinning is to avoid social engineering-related attacks<\/a> and prevent customers’ data from being sent to the wrong server. However, not everything about it is perfect, which is why SSL pinning is no longer a recommended practice<\/strong>. But we\u2019ll speak more to that a little later.<\/p>\n\n\n\n In SSL pinning, you instruct the browsers to trust your website only if it:<\/p>\n\n\n\n That means you are pinning the website\u2019s identity with a predefined cryptographic attribute. When web browsers see a pinned certificate, they\u2019ll consider any other identity (CA or public key) invalid and deny the connection.<\/strong> The idea here is that if a hacker tries to manipulate an HTTPS connection or SSL certificate, your browser will recognize it and block the website access.<\/p>\n\n\n\n Certificate pinning has been used for everything from internet connections and software to apps and IoT devices. But to truly understand certificate pinning, you need to have a basic understanding of how the SSL\/TLS works and attaches a unique cryptographical identity to a website. Please check out article on how HTTPS works<\/a> if you need to brush up on some basic concepts before moving forward.<\/p>\n\n\n\n As a website owner or webmaster, you can implement SSL pinning by integrating codes in the header<\/a>. You also need to specify the “max-age”, which means the amount of time that browsers should consider a particular cryptographical identity valid. (The max-age is typically specified in seconds but may total anywhere from a few second to even a year.)<\/p>\n\n\n\n When the browser connects to your server for the first time, it will save the pinned public key (or its hash value), or the CA you have specified in its records. Now, every time the browser connects to that website, it will trust only predefined attributes from its records up until the specified max-age. If the criterion is mismatched, site visitors will get an error page that\u2019s almost impossible to bypass.<\/p>\n\n\n\n Although certificate pinning isn\u2019t now something that browsers or CAs recommend, it used to be considered a good idea. But why? Because there are three main threats related to SSL\/TLS certificates that SSL pinning tries to address.<\/p>\n\n\n\n Any certificate authority can issue an SSL certificate for any domain name. Once the certificate has been issued, all the relying parties \u2014 the server and all the major browsers \u2014 would trust it. <\/p>\n\n\n\n But what if the CA’s server gets hacked or their private keys get compromised? Note: This is a rare issue. But if it does happen, attackers can issue an SSL certificate for any domain name, attaching their own server\u2019s public key and private key<\/a>. They can send, receive, decrypt, and steal the data impersonating the original website. <\/p>\n\n\n\n In August 2011<\/a>, an unknown attacker hacked Dutch certificate authority DigiNotar<\/a> and issued a fraudulent certificate for google.com and its subdomains. <\/p>\n\n\n\n If such things happen again \u2014 and if you have pinned your certificate authority or the public key \u2014 then the browser won\u2019t trust any certificate that:<\/p>\n\n\n\n If cybercriminals disguise themselves as legit domain owners and convince a CA to tie the wrong public-private key set in a domain name’s SSL certificate, then all the customers’ data will be transferred to the hacker\u2019s server. In a same way, certificate mis-issuance might take place due to a bug in the CA\u2019s system or by an employee mistake.<\/p>\n\n\n\n For example, Symantec issued a faulty SSL\/TLS certificate<\/a> for google.com and www.google.com<\/a> in 2015. It was an extended validated (EV) certificate, which is considered to be one of the most trustworthy certificate types. Google detected the mis- issuance via its certificate transparency mechanism<\/a>. Symantec\u2019s intension was not to defraud Google and the mis-issuance was a mistake that happened during Symantec\u2019s internal testing process.<\/p>\n\n\n\n SSL stripping is a man-in-the-middle attack<\/a> technique that leaves your data vulnerable to interception and manipulation. In this attack, an attacker sits between a user and the website and uses an SSL strip tool to force the browser to load the website via the insecure HTTP protocol. That means, whenever the browser tries to connect to a website, the attacker downgrades the connection to establish an insecure HTTP connection between the browser and themselves. <\/p>\n\n\n\n The connection between the website visitor and the hacker is HTTP, but the hacker and website’s server connection is HTTPS. So, what this means is that the attacker can steal all the user\u2019s data because it remains in plaintext format in the HTTP channel. But the server doesn\u2019t realize what\u2019s happening because it\u2019s showing an HTTPS connection on its end. <\/p>\n\n\n\n In SSL stripping, if the certificate\/public key is not pinned, the browser just displays a “not secure” sign in front of the domain name in the address bar or shows an error page, which users can easily bypass. But if the SSL is pinned, the browser gets alerted if it can\u2019t find the pinned SSL attributes in the website\u2019s header. If browsers can\u2019t establish a secure HTTPS connection with the predefined attributes, it will show an error page that website visitors can’t bypass.<\/p>\n\n\n\n SSL pinning sounds so cool on the surface, right? But just like other technologies and processes, it isn\u2019t perfect and has some serious downsides when not properly implemented. Here are just a handful of reasons why SSL certificate pinning is no longer a recommended<\/a> practice. Google and Firefox both have also moved away from public key pinning back in 2018.<\/p>\n\n\n\n If you have pinned a public key in your SSL header, all the browsers and apps have recorded that key in their cache. But what if its corresponding private key gets compromised? If a hacker gets into your hosting site and steals the private key or your employee accidentally leaks it, you must get your SSL certificate revoked and install a new one immediately. That means, you\u2019ll receive a new set of public and private keys.<\/p>\n\n\n\n But the browsers have already recorded the old key and won\u2019t trust the replacement public key until the \u201cmax-age\u201d expires. So, when the browser finds a new public key in the header, it would consider it a cyber attack and won\u2019t let your website visitors open your website.<\/p>\n\n\n\n (However, to reduce the risk, the website owner can install more than one backup SSL certificate on their server and pin several public keys. So, if one certificate is revoked, the backup SSL certificate automatically takes its place, whose public key is already included and pinned in the header.<\/em>)<\/p>\n\n\n\n The Certificate Authority\/Browser Forum (CA\/B Forum<\/a>) keeps changing the technical specifications and guidelines for the SSL\/TLS certificates and all publicly trusted CAs must adhere to them. That means if CAs have any of the following concerns, then browsers would distrust their SSL\/TLS certificates:<\/p>\n\n\n\n In such an event, the CA must revoke the distrusted\/obsolete certificates and issue new certificates for their customers. In the past, certificate authorities like Symantec, RapidSSL, GeoTrust, Thawte<\/a>, and Let\u2019s Encrypt<\/a> have faced such revocation issues. If your certificate gets revoked, you\u2019ll be handed a new set of public\/private keys with a replacement certificate. But the browsers won\u2019t recognize the new key and will block the connections.<\/p>\n\n\n\nHow to Use SSL Certificate Pinning<\/h3>\n\n\n\n
Is SSL Certificate Pinning Necessary<\/h2>\n\n\n\n
1. Certificate Authority Compromise<\/h3>\n\n\n\n
2. Certificate Mis-Issuance<\/h3>\n\n\n\n
3. SSL Stripping<\/h3>\n\n\n\n
The Disadvantages of SSL Certificate Pinning<\/h2>\n\n\n\n
1. Lack of Flexibility in the Event of Private Key Compromise<\/h3>\n\n\n\n
2. Changes in the Certificate<\/h3>\n\n\n\n
3. If You Pin the Wrong Key, It Can Cause a Lot of Lasting Damage<\/h3>\n\n\n\n