Definition
Certificate pinning is a security technique that enhances the security and reliability of a website’s SSL connection by restricting it to trusted certificates.
It enables a website to define its SSL certificate’s distinct fingerprint (public key) for a web browser, which stores and verifies it during future visits, ensuring a secure and trustworthy connection and preventing the risk of fake certificates.
Certificate pinning protects against certificate impersonation and man-in-the-middle (MITM) attacks.
The Working Mechanism of Certificate Pinning
- The website transmits its SSL certificate to the browser during the first connection.
- An HTTP header on the website lists hashes (fingerprints) of authorized public keys that the browser must store for future reference.
- During subsequent visits, the browser verifies whether the certificate matches the stored fingerprints.
- If the certificate matches, the connection is considered secure; otherwise, the browser issues a warning to prevent potential security risks.
Certificate Pinning Types
- HTTP Public Key Pinning (HPKP): In this type of certificate pinning, the server instructs the client’s browser on which specific public keys or certificates to store and trust.
- Certificate Transparency (CT) based pinning: This certificate pinning method relies on publicly available logs of SSL/TLS certificates. Website owners can define valid certificates for their domain by referencing the certificate’s log entry detail.