





SSL or Security Socket Layer is a technique, or we can also call it an arrangement to secure the communication between two entities. When two devices connect, both the sender and receiver must get assured that no third party can listen to or access their communication. The SSL pinning is one of the ways to ensure this.
Today, SSL pinning has become necessary in the wake of increasing unauthorized access attempts and hacks. Amongst this, there have been cases where fake SSL certificates are issued to the website owners. These fake certificates present the same risk as not having SSL protection.
In this blog, we will talk about SSL certificate pinning in detail and address the current issues and solutions.
Security Socket Layer or Transport Layer Security are two ways to ensure encryption in communication. The websites or online platforms that are secured with SSL get the designation of HTTPS before the URL address.
A key aspect of SSL is the “Chain of Trust”. This means the SSL certificate provided to a website is provided by a trusted Certificate Authority (CA). A significant reason for the implementation of this system is to prevent Man in the Middle Attack (MITM).
These attacks try to find a vulnerability in the communication’s security system and exploit it to gain access. The attackers might also have malicious intentions, which is risky to both the sender and receiver.
In the era of mobile and internet banking, it is essential to implement the perfect security system that will protect everyone from hacks and attacks.
Even with these measures, there are risks because several organizations have been caught issuing malicious and fake SSL certificates. The hacker would pose as a certificate issuance authority and gain access to the internal systems of the involved parties.
SSL pinning is partly related to establishing a protective layer and partly to the mis-issuance of the SSL certificates, which will put the data on the website and the customer’s information at risk of access.
SSL Certificate Pinning is one of the techniques used to prevent unauthorized access and improve website security. The SSL or TLS certificate pinning leverages cryptographic security to identify and prove the identity of the server or host.
Under this, we can pin the identity of a secure and trusted trustworthy certificate. As a result, any document or attempt to access it is blocked, especially the ones coming from a suspicious server.
Websites and platforms enabled with SSL pinning have a repository of stored certificates. They do not rely on certificate stores to establish security of the same. With this, the users can create and save a list of trusted SSL certificate issuers to the application or website.
Whilst establishing communication, it will check and compare the server certificates from the list. If it is a trusted one, the connection will be made. Otherwise, the users will be provided with a warning message or not be allowed to access the platform.
SSL pinning is like double-checking the connection. Once it is checked as per the usual mechanism, the second checkpoint is about the pinning. SSL certificate pinning ensures that even when a website owner or an application has installed a malicious or fake certificate, it won’t allow the users to establish a connection.
The Chain of Trust represents the hierarchy of the certificate issuing, which goes back to three tiers. The first tier is the issuance of the certificate by the server. For instance, if someone wants to build a web application and wants to add an SSL certificate in it.
The server will send the public key of the certificate to the user, which will be registered in the frontend code. This certificate is signed by a Certification Authority (CA), which is in turn signed by Root Certificate, which is the third tier. The Root Certificate is self-signed.
Where SSL is a technique, the document ensuring its implementation is a certificate. This certificate contains all the information about the server on whose name the certificate is issued.
Consider it as an identification card. The websites and applications that have this sort of ID are safe and will protect their user’s information. Imagine an application without an SSL certificate.
Any third party can access the bank records of the individuals and customers using the application. From their account passwords to credit and debit card information and everything stored on the bank’s servers.
The SSL digital certificates use an X.509 standard, defined by the International Telecommunication Union. A CA can also issue digital certificates, but that is where the trouble can arise.
A digital certificate holds the following information;
We have talked about what pinning is and its certification. Moving on, let’s get to know something about this mechanism and its protective cover. We have already talked about the mis-issuance of certificates. This is a big anomaly in the system and is used to exploit server connections.
Mis-issuance means when a fake certificate is attributed to show that a domain, host, or computer is protected when in reality, it is vulnerable. Hackers are not only after the domains and hosts, but they also attack the Certification Authority and start issuing fake certificates.
Due to this, they will get access to the CA’s records and to the records of the subjects. Pinning protects all types of senders and receivers. Once a certificate is issued, the user’s browser or device will compare the pinned data and try to find a mismatch.
If there is a mismatch, the users will be issued a warning message and a notification. The users can also be blocked from accessing the website or application altogether.
Remember the Root Certificate we talked about earlier. Now the thing is that we can only put a limited amount of trust in the SSL certificates, especially in the authorizing entities.
In other words, the server that has sent the certificate, signed by a CA, may not have the luxury of our trust. And neither does the Root certificate. So how is this issue resolved?
Well, for one, the Root Certificate is loaded into the device. It can be a mobile or other platform used here. And these certificates are given a name, any random name. It can be Root 1, Root 2, so on and so forth. These self-signed root certificates are accepted and trusted globally.
Now imagine that a hacker issues the same certificate by slightly changing the name. For instance, if the original certificate is issued in the name of g.com, the fake one may be gs.com. And this is how the MITM attacks can take place.
The person trying to establish a secure connection with the server, will be shown as they are going to g.com. But they are going to gs.com and the user’s device or browser will trust, even the fake certificate.
Certificate pinning works to ensure that whatever you read above doesn’t happen. SSL pinning is here to the rescue, where the said certificate is hard coded into the device.
Above you must have read about encoding the public key into the client device. But we can also encode the certificate, the CA, or the Root Certificate. This is called pinning the certificate.
Now we can also hash it to the device and ensure that the client always accesses the right server and with complete encryption. Post this; the connection will only be established when the certificate matches the pinned data.
SSL pinning works exceptionally well in preventing MITM attacks. It also works well with DNS Poisoning-based attacks.
In the above scenario, every time the certificate is updated, the key must also be updated to ensure a stable connection. However, we can use a hash key to avoid updating it every time and still ensure a secure connection.
With hashing, even after the certificate updates or changes, the underlying public key associated with the certificate will be able to establish secure communication. This helps us make a more dynamic and flexible pinning system, one which is conducive to the present-day system. The hash key system is a bit difficult to implement, but it can be done. So essentially, we are not storing the public key itself but only recording its value, preferably in the form of SHA 256, and storing it in the system.
The entire internet is rooting for users to build connections and the SSL technology is here to uphold every individual’s privacy rights and freedom. There are still threats to creating a secure communication channel, which is why we use SSL pinning. The SSL certificate pinning might be a complex process to implement, but it is an essential step toward building a highly secure communication channel.