KeyChest Blog

What is certificate pinning

Jun 7, 2019 8:53:19 AM / by Dan

Some people argue that certificate pinning is a must to protect against sophisticated attacks. Some will say that it is a pain in the bottom. But what is it actually?

 

Certificate pinning is a mechanism that introduces "direct trust" between your web browser and a web server. When the web server (e.g., quora.com) provides a "pinning flag", your web browser will remember it and will warn you when you try to connect to the quora.com server again and it shows a warning if it detects a configuration change (i.e., someone attacks you or someone made a configuration error).

The usual verification of HTTPS is using standard X.509, which defines certificate verification via proxy, where the proxy is a “trusted authority”, or a CA. We, as users, don’t care which certificate is used so long as the trusted authority confirms it’s a good one. And as long as the trusted authority is trusted by our web browsers.

Pinning means that you only trust the certificate you have seen before. You may use the proxy for the first validation, or you can just say whatever it is, I trust it.

When you talk to the same server again, you only trust it if it uses the same certificate. If it’s a different one, it will raise an alarm even if the proxy says it’s a good one.

In a way, the concept of certificate pinning is direct trust, just like in PGP (if you’re familiar with this system).

Tags: certificate, phishing, attack

Dan

Written by Dan