Certificate pinning is an added layer of communication protection between clients and servers that use cryptographic certificates to secure transmissions between the two.
What HTTPS Secures
You may be familar with the lock icon that shows in your browser location bar when you are on a site that has configured HTTPS.
The lock indicates that the communications between your browser and the server are encrypted (unreadable) by any third party that might be sitting between your computer and the server.
Third parties like:
- Your neighbors (depending on how your local networking is configured)
- Your ISP
- Telecoms provider used by the ISP
- Backbone haul providers
- The server you are communicating withs ISP
- Additional servers in the network where the server is located (depending on configuration)
All of the above would be unable to view the requests passing back and forth between the server and the client browser.
What HTTPS Does Not Do
The above sounds great, but there’s a problem: What if one of the third parties steps up from spying to impersonation. They set up their own server that falsely states that they’re really “https://example-server.com".
To your client:
- It’s encrypted with TLS
- It’s the correct domain
Put another way - standalone HTTPS checking verifies that the connection is secure but cannot verify if the server offering up the certificate is the correct one.
How Certificate Pinning Helps
Certificate pinning shifts the question asked by a client from:
“Is this connection secure?”
“Is this connection secure and is it to the server with the certificate I’m expecting?”
Where is Certificate Pinning Used?
Certificate pinning has gained the most traction on mobile device platforms like Android and iOS as it offers an additional layer of security to communications.
What Threat Models does Certificate Pinning Prevent
Rather than saying if certificate pinning “works” it’s better to discuss the specific threat models that are might apply and the extent to which pinning helps to counter them.
Network MITM Threats
Stopping malicious agents that are attemping to intercept your traffic is surely a worthy goal and likely the most applicable use of pinning.
Intermediate organizations that might want to trick users into connecting to a false site (complete with HTTPS) would throw errors on the client preventing requests from being passed.
Local Device MITM Threats
Much less effective is certificate pinning and it’s ability to counter direct attacks against devices in debug/local scenarios. There are many methods of bypassing
If you’re interested in exactly how someone might go about bypasssing a pinned certificate in an application, can we refer you to NetSPI’s writeup of Android Pinning bypass methods.
Certificate Pinning Risks
So if certificate pinning is so great, why isn’t everybody doing it?
The big cost is risk: you need to have a very mature operational organization to manage the certificate updates in a precise manner that preserves the pinned certificate values.