What is SSL Pinning & How Does It Work? [An Ultimate Guide]

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
loadingLoading...
what is ssl pinning

SSL or Security Socket Layer is a technique, or we can also call it an arrangement to secure the communication between two entities. When two devices connect, both the sender and receiver must get assured that no third party can listen to or access their communication. The SSL pinning is one of the ways to ensure this.

Today, SSL pinning has become necessary in the wake of increasing unauthorized access attempts and hacks. Amongst this, there have been cases where fake SSL certificates are issued to the website owners. These fake certificates present the same risk as not having SSL protection.

In this blog, we will talk about SSL certificate pinning in detail and address the current issues and solutions.

What is SSL?

Security Socket Layer or Transport Layer Security are two ways to ensure encryption in communication. The websites or online platforms that are secured with SSL get the designation of HTTPS before the URL address.

A key aspect of SSL is the “Chain of Trust”. This means the SSL certificate provided to a website is provided by a trusted Certificate Authority (CA). A significant reason for the implementation of this system is to prevent Man in the Middle Attack (MITM).

These attacks try to find a vulnerability in the communication’s security system and exploit it to gain access. The attackers might also have malicious intentions, which is risky to both the sender and receiver.

In the era of mobile and internet banking, it is essential to implement the perfect security system that will protect everyone from hacks and attacks.

Even with these measures, there are risks because several organizations have been caught issuing malicious and fake SSL certificates. The hacker would pose as a certificate issuance authority and gain access to the internal systems of the involved parties.

SSL pinning is partly related to establishing a protective layer and partly to the mis-issuance of the SSL certificates, which will put the data on the website and the customer’s information at risk of access.

What is SSL Pinning?

SSL Certificate Pinning is one of the techniques used to prevent unauthorized access and improve website security. The SSL or TLS certificate pinning leverages cryptographic security to identify and prove the identity of the server or host.

Under this, we can pin the identity of a secure and trusted trustworthy certificate. As a result, any document or attempt to access it is blocked, especially the ones coming from a suspicious server.

Websites and platforms enabled with SSL pinning have a repository of stored certificates. They do not rely on certificate stores to establish security of the same. With this, the users can create and save a list of trusted SSL certificate issuers to the application or website.

Whilst establishing communication, it will check and compare the server certificates from the list. If it is a trusted one, the connection will be made. Otherwise, the users will be provided with a warning message or not be allowed to access the platform.          

SSL pinning is like double-checking the connection. Once it is checked as per the usual mechanism, the second checkpoint is about the pinning. SSL certificate pinning ensures that even when a website owner or an application has installed a malicious or fake certificate, it won’t allow the users to establish a connection.

What is the Chain of Trust?

The Chain of Trust represents the hierarchy of the certificate issuing, which goes back to three tiers. The first tier is the issuance of the certificate by the server. For instance, if someone wants to build a web application and wants to add an SSL certificate in it.

The server will send the public key of the certificate to the user, which will be registered in the frontend code. This certificate is signed by a Certification Authority (CA), which is in turn signed by Root Certificate, which is the third tier. The Root Certificate is self-signed.

What are Digital Certificates that Secure the Connection?

Where SSL is a technique, the document ensuring its implementation is a certificate. This certificate contains all the information about the server on whose name the certificate is issued.

Consider it as an identification card. The websites and applications that have this sort of ID are safe and will protect their user’s information. Imagine an application without an SSL certificate.

Any third party can access the bank records of the individuals and customers using the application. From their account passwords to credit and debit card information and everything stored on the bank’s servers.

The SSL digital certificates use an X.509 standard, defined by the International Telecommunication Union. A CA can also issue digital certificates, but that is where the trouble can arise.

A digital certificate holds the following information;

  • Subject: This is the entity to whom the certificate is issued. It can be a user, network device, computer, platform, etc.
  • Serial Number: It’s a unique number assigned to each certificate.
  • Issuer: A unique name of the issuing entity, mostly the CAs are named in this column.
  • Validity: The Valid From and Valid To date is written. After the Valid To date is reached, the certificate is considered invalid.
  • Public Key: In encryption, there is a public key that will grant access to the users. This certificate holds the public key that will help establish a secure connection
  • Algorithm Identifier: As every certificate signs the deal for two entities to establish a secure connection, Algorithm Identifier tells the name of this algorithm used here.
  • Version: Notifies about the certificate version.
  • Time Stamp: Shows the date and time of the certificate creation.

Protection Provided by SSL Certificate Pinning

We have talked about what pinning is and its certification. Moving on, let’s get to know something about this mechanism and its protective cover. We have already talked about the mis-issuance of certificates. This is a big anomaly in the system and is used to exploit server connections.

Mis-issuance means when a fake certificate is attributed to show that a domain, host, or computer is protected when in reality, it is vulnerable. Hackers are not only after the domains and hosts, but they also attack the Certification Authority and start issuing fake certificates.

Due to this, they will get access to the CA’s records and to the records of the subjects. Pinning protects all types of senders and receivers. Once a certificate is issued, the user’s browser or device will compare the pinned data and try to find a mismatch.

If there is a mismatch, the users will be issued a warning message and a notification. The users can also be blocked from accessing the website or application altogether.

How Does the SSL Certificate Pinning Work?

Remember the Root Certificate we talked about earlier. Now the thing is that we can only put a limited amount of trust in the SSL certificates, especially in the authorizing entities.

In other words, the server that has sent the certificate, signed by a CA, may not have the luxury of our trust. And neither does the Root certificate. So how is this issue resolved?

Well, for one, the Root Certificate is loaded into the device. It can be a mobile or other platform used here. And these certificates are given a name, any random name. It can be Root 1, Root 2, so on and so forth. These self-signed root certificates are accepted and trusted globally.

Now imagine that a hacker issues the same certificate by slightly changing the name. For instance, if the original certificate is issued in the name of g.com, the fake one may be gs.com. And this is how the MITM attacks can take place.

The person trying to establish a secure connection with the server, will be shown as they are going to g.com. But they are going to gs.com and the user’s device or browser will trust, even the fake certificate.

Certificate pinning works to ensure that whatever you read above doesn’t happen. SSL pinning is here to the rescue, where the said certificate is hard coded into the device.

Above you must have read about encoding the public key into the client device. But we can also encode the certificate, the CA, or the Root Certificate. This is called pinning the certificate.

Now we can also hash it to the device and ensure that the client always accesses the right server and with complete encryption. Post this; the connection will only be established when the certificate matches the pinned data.

SSL pinning works exceptionally well in preventing MITM attacks. It also works well with DNS Poisoning-based attacks.

Hash Key Pinning or Pinning with Public Key

In the above scenario, every time the certificate is updated, the key must also be updated to ensure a stable connection. However, we can use a hash key to avoid updating it every time and still ensure a secure connection.

With hashing, even after the certificate updates or changes, the underlying public key associated with the certificate will be able to establish secure communication. This helps us make a more dynamic and flexible pinning system, one which is conducive to the present-day system. The hash key system is a bit difficult to implement, but it can be done. So essentially, we are not storing the public key itself but only recording its value, preferably in the form of SHA 256, and storing it in the system.

Pros of SSL Certificate Pinning

  • SSL Pinning provides us with better and tighter security.
  • It protects the clients and servers from establishing an unsafe connection due to certificate mis-issuance.
  • With SSL pinning, there won’t be any eavesdropping and exposure to device malware.
  • It instantly detects and reports MITM attacks.
  • SSL pinning provides some level of protection from DNS poisoning attacks.

Cons of SSL Certificate Pinning

  • Without hashing, changing the certificate and public key becomes a nuisance.
  • With the SSL certificate pinning integrated into an application, it is difficult to insert additional security solutions.

Conclusion of What is SSL Pinning

The entire internet is rooting for users to build connections and the SSL technology is here to uphold every individual’s privacy rights and freedom. There are still threats to creating a secure communication channel, which is why we use SSL pinning. The SSL certificate pinning might be a complex process to implement, but it is an essential step toward building a highly secure communication channel.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.