Contact Us Today 01642 716680

SSL Certificate Pinning

Definition: SSL certificate pinning, also known as HTTPS certificate pinning, is a security measure that involves hardcoding the certificate information of a trusted server into an application. This practice allows the application to reject connections from servers that present unexpected SSL certificates, even if the certificates are valid and trusted by the device or browser's standard verification process.

In the context of mobile application security testing, certificate pinning plays an important role in mitigating man-in-the-middle (MitM) attacks, where an attacker intercepts and potentially alters the communication between the client and the server. By implementing SSL certificate pinning, applications can ensure that they only establish connections with the intended server and reduce the risk of an attacker successfully presenting a forged or incorrect certificate to hijack the session.

SSL certificate pinning ensures an extra level of trust verification, as it directly compares the server’s certificate presented during the SSL handshake against the pinned certificate within the app. If there is a mismatch and the certificates presented do not match the pinned certificate, the application terminates the connection, thereby protecting the transmission of data.

While SSL certificate pinning heightens security, it also requires careful management. The certificates hardcoded into the app need to be kept up-to-date to reflect any changes made by the server’s administrator, such as certificate renewals. Otherwise, pinning can result in applications being unable to connect to legitimate servers following certificate updates, causing inconvenience to users.

Key Characteristics:

  • Reinforces trust verification by comparing presented certificates with hardcoded ones
  • Mitigates risks of MitM attacks
  • Is specific to the application and operates independently of device-level trust stores
  • Requires careful certificate management to avoid connection issues

Examples:

  • Real-World Example: A banking application utilises SSL certificate pinning to ensure that when users perform transactions, their sensitive data is only transmitted to the genuine banking server, even if an attacker has compromised a Certificate Authority (CA) and is presenting a seemingly valid, but malicious, certificate.
  • Hypothetical Scenario: During testing, a security analyst confirms that a mobile app’s SSL certificate pinning is implemented correctly by presenting it with a genuine but unexpected SSL certificate and verifying that the connection is indeed blocked.

Related Terms:

  • Public Key Pinning: The act of associating a set of expected public keys with a certain server, which may be part of SSL certificate pinning practices.
  • Man in the Middle Attack: A security threat where an attacker secretly relays and possibly alters communications between two parties who believe they are directly communicating with each other.
  • SSL Handshake: The process by which the SSL/TLS protocol establishes an encrypted connection between a client and a server.
  • Certificate Authority (CA): An entity that issues digital certificates certifying the ownership of public keys used in TLS and SSL communications.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.

      Looking for reliable Penetration Testing? Use the contact form below and request a quote today.