blog-post

Do You Really Need Certificate Pinning For Your Website?

Certificate pinning is a technique originally designed as a means of preventing man-in-the-middle attacks (MITM), in which a website accepts only authorized (“pinned”) certificates when communicating with the Web server.

This technique specifies which certificates are accepted for a particular website, limiting risk.

History Of Certificate Pinning

HPKP (HTTP Public Key Pinning) started back in 2011, when Google programmed Chrome to accept only the “hard-coded” certificates when attempting to connect domain names to Google.com

When Chrome connected to google.com website, it already knew which CAs to accept. If a certificate from any other CA was presented, the connection would not proceed. This meant that if an attacker managed to convince a publicly-trusted CA into issuing them a certificate for the google.com domain, Chrome would not continue with the connection when trying to access the website.

Fast-forward to 2015, Chrome and Firefox started using the HTTP Public Key Pinning (HPKP) header. The first time a browser connected to a website using HPKP, it recorded the public key from the header, and would only accept that key every time it connected to the site, up until the “max-age” defined in the HPKP header would elapse.

Meanwhile, this technique was also introduced in mobile apps, IoT devices, and other software.

These practices, when implemented correctly, can greatly enhance security. However, when scarcely documented and poorly implemented, they can generate more problems than solutions.

Benefits oo HPKP

HPKP can offer enhanced control for organizations that wish to be very specific on the certificate-based authentication for their websites. The expectation is that it would thwart attackers from successfully utilize fraudulent certificates in gaining illegitimate access to applications or data through MITM attacks, invalid certificates or compromised CAs.

Drawbacks Of HPKP

Pinning, especially with HPKP, is extremely risky and error prone. If you configure your pinning settings incorrectly, you could end up DOS-ing your own website or break connectivity in your application, with limited options for recourse, or until the “max-age” time has elapsed.

Here are a few ways in which pinning can cause harm.

Key Compromise

A common (bad) practice with HPKP is to pin the “leaf certificate” (end-entity certificate) public key to a website for 60 days. This means that for the next 60 days, your browser will only accept that certificate during the TLS exchange when accessing that website.

Many sites do not specify backup keys, underestimating the risk of using just one key. If that key is compromised (accidental leak on a GitHub repo, stolen during a data breach or inside attack etc.), then it is game over.

CAs are required to revoke that key. With no other key available, legitimate clients are no longer able to visit the website.

No Cryptographic Agility

Cryptographic agility is necessary when you’re forced to change certificates with new ones because the current ones will soon expire.

Since pinning is just a fancy word for “hardcoding”, any changes to the certificate requires both an update to the certificate AND an update patch to the application.

Updating applications may not be straightforward, especially on a limited timeline, and those clients that do not install the latest version may no longer be able to access the website.

Revocation Of Certificates

CAs can revoke certificates with little or no prior warning, which can completely take your website by surprise. Similar to cryptographic agility, you may be left scrambling to update your web app quickly so that users can access it.

Conclusion

Certificate pinning using HPKP has rapidly become widely discredited on the grounds that it carries unacceptable certificate agility costs with little benefits.

As a result, HPKP has been deprecated altogether in 2018 in favor of another header: Expet-CT.

Share on:
comments powered by Disqus

Related Articles

For every type of business

If you’re interested in a complete Security Program without the high costs, a cyber security consultant is the best way to start.

Get started Now