SSL pinning

Introduction to SSL Pinning – A Complete Guide

Introduction

SSL pinning stands for Secure Socket Layer that forms grounds of trust by setting a safe connection. You may already know the name HPKP (HTTP Public Key Pinning), it is a particular execution of pinning that is often used with SSL. In this article, our focus is on SSL pinning. It is important to note that SSL pinning and HPKP are different things. So, the things that we will discuss here are not necessarily true about HPKP. But we can still understand the basics of HKPK in this article.

What is SSL Pinning?

SSL pinning is used to make improvements in the security mechanism for a website or company that uses the SSL certificate. Pinning enables you to make a specific cryptographic identity that should be acceptable to your site’s customers. It may look like a difficult task, but in reality, it is simple to execute.

By using cryptography, we can identify the identity of the server or host of a site. A cryptographic identity is basically a file that helps you do so. A Symantec SSL certificate, a private key, and certificate signing requests are some of the examples of cryptographic identity. That cryptographic pin notifies the client/user to remember these identities for a secure connection in the future. That helps the users to avoid any fake or suspicious connection.

To use SSL pinning, you first need to configure your server, and also identify the items that require pinning. After pinning, browsers and also the customers can evaluate the pinned related to every connection. In case a wrong identity is provided, the client will reject this kind of connection.

In a broader aspect, an SSL connection enables the client to establish a secure and encoded connection with the help of matching identity. On the other hand, the function of SSL pinning is to tell the user to accept only a particular identity to connect online.

Why Do You Need SSL Certificate Pinning?

SSL pinning allows the user to only trust the authorized certificate or Public Key. The app developer utilizes the SSL pinning method as an extra security cover for their visitors. Usually, the app shows trust on a custom certificate and allows it to tackle the traffic.

Limiting the number of trusted certificates with the help of pinning stops attackers from evaluating the working of the app and also the method through which it interacts with the server.

Types of SSL Pinning

There are two basic types of SSL pinning,

  1. Pin the certificate
  2. Pin the Public key

We will discuss these types briefly,

Pin the certificate

In this type of SSL pinning, you just need to download the certificate and save it to your device. On starting, your system will compare the certificate with the newly installed certificate.

Pin the public key

You can recover the certificate’s public key and add it to your code as a sequence. At the start, your device compares the certificate’s public key to the one complex hash string in your code. This is the most preferable type of SSL pinning. In the public key pinning, you don’t need to update the key on the certificate, and updating the certificate does not change the key. Or at least you have the option to keep it the same.

What Pinning Protects You From

There are many problems with an SSL certificate, and one of the major issues is the mis-issuance of an SSL certificate. An unofficial certificate is also a mis-issued certificate. It is not safe when a mis-issued certificate is controlling your connection. It can affect both public and private PKIs, but public cases are well-known.

There are many shapes of certificate mis-issuance. A massive security breach of public CA took place in 2011 with the hack of a Dutch certificate authority. The hackers were able to get access to the entire system of the company. For this reason, they were successful in issuing certificates to hundreds of sites. The issued certificates were unauthorized and contain false cryptographic identities.

But in the future, we can avoid this kind of attack easily with the use of SSL pinning. This way we can save the users of these attacked sites. The effectiveness of SSL pinning is visible in the case of Google. Google protects their services with the help of pinning. When a user tries to establish a connection, his/her device will compare that to the pinned data and reject it if any mismatch is found.

The miss-issuance of certificates poses various risks. However, the risk of mis-issuance depends on the standard of pinning on your website or server. High profiled sites are more likely to be compromised as compared to a low profile ones. It also depends on the security structure of your site.

Some Pins Are Better Than Others

It is up to you to pin what you want to pin, but it useful to give priority to important things over less useful things. For example, pinning a leaf certificate is not a good option. In some cases, you may want to change your leaf and in some cases, it becomes necessary to change it.

As we discussed in the above paragraph, if you have pinned the leaf and later on want to change it, you may face serious hurdles in doing so. As we know, pinning depends on the specific identities. This means you will still face the issues even if you have bought another leaf certificate after pinning the first one.

Pinning of an intermediate certificate offers you more compliance. It helps you to change your leaf certificate with a better one. However, it also has some drawbacks associated with it. If you are using a public CA and need a renewal of the certificate. They may issue you a leaf from some different intermediate. You can avoid issues of these types by pinning multiple identities.

Conclusion

SSL pinning helps improve the security technique of websites that rely on the SSL certificate. Pinning enables you to make a specific cryptographic identity acceptable to customers on your website. SSL pinning helps the customers to only trust the authorized certificate or Public Key. It is also helpful for the app developer as it offers an extra security cover for their visitors.

Leave a Comment

Your email address will not be published. Required fields are marked *