A few years back, the largest search engine, Google, started using certificate pinning. Following that, chrome would only accept websites with pinned certificates when trying to connect to Google. This meant that Chrome would block or distrust a website with a disguise.
This level of security bars anyone who tries to mimic a legitimate website. Other browsers, such as Firefox, followed suit, and later, devices and various technologies, including mobile apps, the Internet of Things, and various software applications adopted to implement certificate pinning. Certificate pinning can bar the connectivity of applications, and if it is not well set, it can block your website altogether.
In this article, we will define and look at what certificate pinning is, how it is done, and its benefits and drawbacks.
What Is Certificate Pinning?
This is a technique that reduces the risk of man-in-the-middle attacks. In other words, it is associating a host with their expected X.509 certificate or public key. Certificate pinning reduces the compromise of certificate authorities.
With it, there is an authorized client and browser connection. The moment a certificate provider issues a public key for a host, the host is identified, and the certificate is pinned or associatedwith the host. In most cases, certificate pinning is done on public keys and trusted certificate authorities. The connection is lost or refused if a client uses any other certificate instead of the pinned one.
A service certificate is mostly added to a website or an application during development time or during its first encounter with a public key or certificate. Pinning the certificate during the development stage is preferred because then an attacker cannot compromise certificate pinning. When a certificate is pinned during an application or website’s first encounter with the public key, this is known as key continuity. The drawback with key continuity is that the attacker may have a privileged position during the first encounter.
What Is Man-in-the-Middle Attack?
Take the case of a mobile application whereby the user calls what they think is a safe server. The man-in-the-middle intercepts the message and relays it to a different server. Plus, they receive the server’s public key and pass on its distinct public key to the caller. The hacker can communicate with both the client and the server, but the client and the server cannot communicate with each other. Since they can communicate with the two, the hacker can intercept any data being passed between the client and the server and modify it back and forth.
How Certificate Pinning Works
This is a straightforward process whereby the host or service’s certificate is associated with the pre-designated public key that obeys x.509 cryptography standards. Therefore, if an API or client wants to make a secure connection, the server already has the pinned certificate hence a secure connection is established.
Before a client and server connect and exchange data, a figurative handshake ensures that the client communicates with the right server. There are up to five steps during the figurative handshake. These include:
- The client starts a handshake with the server and specifies a Transport Layer Security version (TLS).
- The server responds with the public key and certificate.
- The client then verifies the server’s public key or certificate and then sends back a shared key based on the server’s public key.
- The server now confirms receipt of the shared key.
- Data starts flowing between the client and server, and the data shared is encrypted using the new shared public key hash.
Can Anything Go Wrong with Certificate Pinning?
Certificate pinning with HTTP Public Key Pinning or HPKP can be risky, especially when there is a problem during the implementation of certificate pinning. This can cause your site to load slowly or a connectivity loss in your application. Various things can happen if the certification is compromised. These include:
1. Certificate Revocation
Certificate authorities can revoke a certificate when there is a public key misspelling or invalid entry in OU or subject name entry. Certificate Authorities (CAs) take up to 5 days in the end entity certificate revocation process. When a certificate is pinned in the client code, it becomes hard to update the new certificate for all your clients.
2. Key Compromise
Certificate pinning with HPKP considers the already defined public key certificate for 60 days. Most websites, however, do not keep backups of keys. In such circumstances, such sites become vulnerable to a single key usage. Certificate authorities reject compromised certificates, and when your key is compromised, the client will fail to recognize the new certificate as it only remembers the initial pinned by an intermediate certificate authority. Therefore there will be a failed connection.
3. Hacking
It is hard to edit whenever the HPKP policy is set for a site. If a hacker accesses the server and sets a fake HPKP policy, the server will fail to establish a connection. And even when you want to re-secure your server’s certificate, the earlier HPKP policy will still persist.
Certificates That Can Be Pinned
Web and application owners are free to choose what to pin in their certificate chain. An organization that owns the application should solely control a minimum of one certificate in the chain of trust. Pinning only the root certificate in the chain is a mistake that leaves a vulnerability that can give access to bad actors.
The certificates that can be pinned in the chain include the following:
1. Root Certificate
Root CA issues certificate that come with both public and private keys. The certificate is made of standard hashing and cryptographic algorithms.
2. Intermediate Certificate
This certificate lies in the centre of a chain certificate, given that it is an intermediary between self-signed certificates and leaf and root certificates.
3. Leaf Certificate
The root certificate bears the highest chain certificate and is also named an end-identity certificate. Leaf certificate needs timely updates and revocation by certificate authorities.
Threats That Certificate Pinning Prevents
1. Network MITM Threats
Certificate pinning stops malicious agents that may attempt to intercept your traffic. Hackers may want to trick your users into connecting to pseudo websites. They may tamper with the client hence preventing requests from being passed.
2. Local Device MITM Threats
Certificate pinning can stop direct attacks against devices in debug/local scenarios.
The Benefits of Certificate Pinning
Pinning a certificate for a website or an application protects it against
- Remote man-in-the-middle attack
- Invalid issuance of a certificate
- Compromise bytrusted certificate authority authorities
- It prevents unauthorised malware on a device
- Reverses engineering and certificate authorities’ mistakes
What Are the Problems of Certificate Pinning?
There are other drawbacks of certificate pinning, such as:
- It does not help provide the same integrity of network communication as SSL does
- Also, certificate pinning does not help with the compromisedprivate key of a pinned certificate
- Does not protect the rooted device or jailbroken device and doesn’t avoid reverse engineering
Conclusion
Certificate pinning is a defence strategy that organisations should implement to protect their sensitive information. The effects of a compromised certificate authority on your website or application can soil your company’s reputation and make you lose money; hence implementing certificate pinning should be taken seriously.
Featured Image Source: Unsplash.com