SSL encryption is among the most foolproof ways to secure your site, but what if you could strengthen it even further? A few years back, certificate pinning was a practice often used to enhance the security of an SSL security. People believed it helped mitigate the risks of cyber threats like man-in-the-middle attacks and certificate misissuance, making it more difficult for hackers to use SSL certificates in their attacks.
Nowadays, however, cert pinning isn’t considered best practice, with many industry professionals discouraging it entirely. Read on to find out why.
The SSL chain of trust
To understand certificate pinning, you’ll first need to understand how SSL certificates are typically validated before launching a secure connection, for example, when a client, like a browser, attempts to connect to a website server. Part of this process, known as the SSL handshake, involves the client checking the signature hierarchy of an SSL certificate and whether it matches your browser’s store of trusted root certificates.
In order for your SSL to be deemed trustworthy, it should be signed by a trusted Certificate Authority’s (CA) root certificate or an intermediate certificate that the root cert has signed. This process builds a chain of trust, ensuring clients that your SSL is the real deal and was issued through the proper channels.
What is certificate pinning?
With certificate pinning, signature hierarchy and the chain of trust are discarded altogether. Instead of allowing any SSL issued and signed by a trusted CA, you can “pin” specific SSL certificates to be the only ones considered valid. This gives the site or app owner more control over which SSL to trust, limiting the risk of website spoofing and more. So, if a client tries to connect to a server with a pinned SSL certificate, a secure connection will only be implemented if that pinned SSL is present. Any other SSL, even one signed by a trusted source, will be considered invalid.
There are a few ways to pin specific SSL certificates to your server, such as:
- Adding an SSL as the only one to trust in a client store
- Write the public key hash of your SSL into your website or app code so only it is trusted
- HTTP Public Key Pinning (HPKP) headers, which record and accept a public key from a header for a set number of days (now obsolete)
- Various methods for other apps, IoT devices, and software
While many were happy with how these methods could help enhance SSL security, it soon became clear cert pinning had various downsides.
The risks of certificate pinning
While certificate pinning doesn’t seem like a bad idea in theory, in practice, there were myriad potential drawbacks, including:
- Service interruption: If you misconfigured your pinning or a pinned certificate expires before you notice, clients could experience service interruption.
- Complex maintenance: Because SSL certificates must be regularly renewed, keeping your pinned certificate list up-to-date could become inconvenient and prone to error and disruption, particularly in dynamic, cloud-based environments or large-scale services.
- Issues with HPKP: HPKP has various downsides, such as losing access to pinned keys and thus their site, and hackers setting fake HPKP policies for websites. There’s a reason why Google and Firefox removed HPKP support just a few years after its introduction.
The takeaway
While certificate pinning is still possible, industry experts largely discourage it due to its many downsides. While it does enhance some aspects of SSL certificates, there are already many protections in place to ensure the safety of SSLs. For example, the rise of Certificate Transparency in the SSL industry has reduced the risk of certificates being issued to those who don’t own a particular website or app.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.