SSL certificate pinning is an optional mechanism that is used to provide extra security to the server or websites that already relies on SSL Certificates. Pinning allows you to specify a cryptographic identity that must be accepted by the users visiting the website. Instead of allowing any trusted certificate to e used, the operator ‘pin’ the certificate authority issuer, public keys, or even end-entity certificates of their choice. As a result, users connecting to that server will treat all the other certificates as invalid and refuse to make an HTTPS connection. SSL pinning identifies a specific identity and tells the clients that they should accept the same when making a secured connection.
In SSL pinning, browsers trust your website only if it:
- Uses an SSL/TLS certificate that is issued by a particular certificate authority (CA).
- Has a specific cryptographic public key, commonly known as HTTP public key pinning (HPKP).
- Has a particular intermediate certificate.
Benefits of SSL Pinning:
- Helps in making the connection more secured.
- Better protection against a compromised CA
- Stronger protection against CA mistakes
- Complete protection against any malicious certificates added by users.
Is SSL Certificate Pinning Necessary?
Although browsers or CAs now do not recommend SSL certificate pinning it is used to be considered a good idea. The reason being there are three main threats related to SSL/TLS certificate that SSL pinning tries to address:
SSL Stripping:
SSL stripping is a man-in-the-middle attack technique where an attacker sits between a user and the website and uses an SSL strip tool to force the browser to load the website via the insecure connection i.e. via HTTP protocol. It means, every time the browser tries to connect to a website, the attacker downgrades the connection and establishes an insecure connection between the browser and themselves.
The connection between the website visitor and the hacker is HTTP but the connection between the hacker and the website’s server is HTTPS. It means the attacker can steal all user’s sensitive data as it remains in plaintext format in the HTTP channel. On the server end, it is showing an HTTPS connection and the server is unable to realize what exactly is happening.
In SSL stripping, if the SSL certificate is pinned and the browser cannot find the pinned SSL attributes in the website’s header, the browser gets alerted. The browser will not be establishing a secured HTTPS connection with predefined attributes and will show an error page that visitors of that website cannot bypass.
2. Certificate Authority Compromise:
If the CAs’ server hacked or their private keys are compromised, attackers can issue an SSL certificate for any domain by attaching their own server’s public key & private key. This is a rare issue but if such things happen and you have pinned your certificate authority or public key, then the browser will not trust any certificate that:
- Is issued by any other certificate authority.
- Contains a different public key.
3. Certificate Mis-issuance:
If cybercriminals appeal to themselves as legit domain owners and convince a CA to match the wrong public key set in a domain name’s an SSL certificate, then all the customer’s original data will be transferred from the customer’s server to the hacker’s server. In the same way, if there is any bug in the CA’s system, certificate mis-issuance might take place.
In such cases, if you pinned your SSL certificate, CA would not trust any other public-key offered by cybercriminals.
Conclusion:
SSL certificate pinning surely has some benefits, but its configuration is a little complicated and there is a lack of flexibility even if you have a valid reason to change the pinned criteria. Basically if,
- Your private key is compromised.
- Need of changing the CA or the certificate.
- The certificate gets revoked.
- Wrong keys are pinned by attackers.
Implementing SSL certificate pinning on intranet websites is a wiser decision than public-facing websites.
No comments:
Post a Comment