Sign in Subscribe
1 min read Security

Certificate Pinning is powerful, but you probably shouldn't use it

Let's be clear about Certificate Pinning.

It IS extremely useful.

It IS valid, if you follow 1 rule, and are operating in 2 use case scenarios.

It's simple;
The 1 rule is that YOU control the CA for the pin.

If you don't control the CA, you've essentially circumvented the entire purpose of the system anyway; overriding the trust anchor aka trusted root CA when you pin, you're declaring ONLY this certificate should be used for validation.

What happens when something changes with the issuing CA? It has happened with Wo sign, Comodo, Semantec.

Then your pinned certificate can no longer be validated too.

So whenever you pin its a rule that you do so because you control the issuer CA, and either;
1. The device that does validation has your CA in it's root store, or;
2. You operate a root CA already included in trust services like CCADB

If this is not you (e.g. Instagram) you don't understand what you are doing, because even if you know all of the above and still pin despite knowing, as a "risk decision" l, that implies that you GAIN a security characteristic of some sort, where there is only LOSS of trust and increased likelihood for loss of availability.

So what in your risk decision would say these security losses result in q net security benefit in any loosely related description of any security characteristic pinning provided?

None.

Pinning when you are not the CA is a net security loss.

In scenarios where the device and software are under your control, like; a payment terminal, kiosk, SOE (company issued managed devices) you certainly have a great use case if you also operate a private CA.

But if the end user devices are public, like; websites, mobile store apps, native (windows/Apple/Linux) installable software. i.e. user's are using personal devices you cannot do any management to have your CA trusted - you have no use case for pinning.

So there are vast use cases for pinning actually, just not any that come to mind for sites like Instagram.

Published by:

Stof

You might also like...

Oct
23
Understanding Digital Signatures: More Than Just a Hash

Understanding Digital Signatures: More Than Just a Hash

Digital signatures are a cornerstone of modern security practices, ensuring data integrity and authentication in various online communications. But there&
6 min read
Sep
01
Unlocking Your Tech Success - 5 Essential Lessons

Unlocking Your Tech Success - 5 Essential Lessons

Ever wondered what it takes to thrive in the tech world, not just as a coder but as a tech-savvy
2 min read
May
31
Hawk Authentication bug - Firefox Accounts payload bypassing integrity validation

Hawk Authentication bug - Firefox Accounts payload bypassing integrity validation

HawkAuth protocol is widely adopted by Firefox Accounts and appears in Postman in a very short list of supported API
9 min read
Jun
25

You should have a preference for EV Certificates in 2022 - when most think they are dead

Domain Validated (DV) Certificates may be growing in popularity since the browsers ceased showing the organisation name along with a
3 min read
Oct
04

Zero-trust doesn't exist but that's OK

Where zero-trust might exist 1. Scenarios that have no data 2. Scenarios with data that are never connected to power
7 min read

Member discussion