AppSec Stof

Stay tuned

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
AppSec Stof

Certificate Pinning is powerful, but you probably shouldn't use it

Let's be clear about Certificate Pinning.

It IS extremely useful.

It IS valid, if you follow 1 rule, and are operating in 2 use case scenarios.

It's simple;
The 1 rule is that YOU control the CA for the pin.

If you don't control the CA, you've essentially circumvented the entire purpose of the system anyway; overriding the trust anchor aka trusted root CA when you pin, you're declaring ONLY this certificate should be used for validation.

What happens when something changes with the issuing CA? It has happened with Wo sign, Comodo, Semantec.

Then your pinned certificate can no longer be validated too.

So whenever you pin its a rule that you do so because you control the issuer CA, and either;
1. The device that does validation has your CA in it's root store, or;
2. You operate a root CA already included in trust services like CCADB

If this is not you (e.g. Instagram) you don't understand what you are doing, because even if you know all of the above and still pin despite knowing, as a "risk decision" l, that implies that you GAIN a security characteristic of some sort, where there is only LOSS of trust and increased likelihood for loss of availability.

So what in your risk decision would say these security losses result in q net security benefit in any loosely related description of any security characteristic pinning provided?


Pinning when you are not the CA is a net security loss.

In scenarios where the device and software are under your control, like; a payment terminal, kiosk, SOE (company issued managed devices) you certainly have a great use case if you also operate a private CA.

But if the end user devices are public, like; websites, mobile store apps, native (windows/Apple/Linux) installable software. i.e. user's are using personal devices you cannot do any management to have your CA trusted - you have no use case for pinning.

So there are vast use cases for pinning actually, just not any that come to mind for sites like Instagram.

Latest issue