Certificate Pinning
Certificate pinning forces your client app to validate the server’s certificate against a known copy. After pinning your server’s certificate inside your client app, your client should check the basic validity like common name in the certificate as well as verify that the server’s certificate matches the pinned certificate.
To verify we have a match, the client can validate against
- The entire cert
- Against the public key.
However, instead of a direct copy of the cert or key, we instead use a fingerprint. A fingerprint is a hashed version of either the entire cert or the public key.
What Cert to Pin?
Leaf Cert: A leaf cert is a top-level cert in a certificate chain. Pinning a leaf cert brings us to almost complete certainty that the certificate matches. However, if you cycle your leaf certs often, updates need to roll out fairly frequently to make sure your customer’s app continues to work.
Intermediate Cert: The intermediate cert lives between the leaf and root cert. In this case, pinning against the intermediate cert, you’re putting your trust in the intermediate certificate authority. Therefore, you can update your server’s leaf cert more often, as the validation of certs occurs on the intermediate cert.
Root Cert: Finally, the root cert comes from the trusted certificate authority. Pinning the root cert alone puts trust in the root cert authority, as well as all intermediaries that the root cert authority trusts.
An easy mistake to make would be to pin only the root cert of a public certificate authority (CA). This mistake would allow an attacker who obtains a fraudulent certificate from the same CA and have it accepted by the client as authentic.
Cert Pinning in Mobile Applications:
You’ll have to choose between hard-coding the cert into your application code or putting the cert pin into configuration files that are bundled in your application at build time. Preferably, you’ll go the configuration route, as that keeps your certs out of your source code repository and away from prying eyes.
