SSL Pinning & how it can protect you.
If you know the term HPKP (HTTP Public Key Pinning), that is a specific implementation of pinning that is frequently used with SSL. Here we will be covering “pinning” in a more general sense. Please note that pinning and HPKP are different, and not everything discussed here is accurate about HPKP. However, this article will still help you understand some of the concepts involved with HPKP. A follow-up article will specifically discuss HPKP, its implementation, and challenges.
What is Certificate Pinning?
Pinning is an optional mechanism that can be used to improve the security of a service or site that relies on SSL Certificates. Pinning allows you to specify a cryptographic identity that should be accepted by users visiting your site.
That sounds complex, but it’s actually pretty simple. Let’s start by breaking down that down:
A cryptographic identity is a file that can prove the identity of a server/host through cryptography. An SSL certificate, a public key, and a CSR are all examples of a cryptographic identity. That pin would then tell the client to remember that identity (or identities) and only accept those when establishing future secure connections.
So, if you wanted to use pinning, you would configure your server (in some situations – think internal systems – you may also configure the clients) and specify what you wanted to pin. Browsers and other clients would evaluate the pinned identity on every connection. If any other identity was presented, the client would abort the connection.
To think big picture: an SSL connection tells the client to make an encrypted connection with any identity matching that host. Pinning tells the client a specific identity they should accept when making a secure connection.
So, for example, if our site is TheSSLStore.com, we could pin an identity. When a user visits our site, they would receive the pinned information. On a future visit, their browser would take action if we tried to get the client to use a different identity.
What Pinning Protects You From
One of the inherent risks to the SSL ecosystem is mis-issuance. This is when an unauthorized certificate is issued for a domain/host you control. This can happen with both public and private PKIs, though the public cases are certainly better known.
Mis-issuance can take multiple forms. In 2011, the Dutch CA DigiNotar was hacked, in what is probably the largest compromise of a public CA. A hacker was able to access their internal systems and issue certificates for any site. This was a total compromise of the CA system because those certificates had inaccurate cryptographic identities and the CA’s issuance systems had been accessed by an unauthorized user.
More recently, Live.fi, a website operated by Microsoft in Finland, was victim of mis-issuance. In this case, the CA was not at fault for the mis-issuance. The Live.fi service, which offers free webmail, mistakenly allowed a user to register an email address that is whitelisted for SSL certificate approval. This allowed someone without proper authorization to get a certificate for a site they did not own.
In both these cases, pinning could have protected users of those sites (and in the case of DigiNotar, many of Google’s services were protected as they were early adopters of pinning). When a user’s device encountered the mis-issued certificate, it would compare that to the pinned data, and see that there was a mismatch. They would then be warned or blocked from visiting the site.
As you can see, mis-issuance is complex. The risk of mis-issuance increases with the profile of your site. A site like gmail.com is much more likely to be attacked than a personal blog. But depending on your threat model, any site may be at risk. State actors have been known to issue fraudulent certificates for a variety of sites, including smaller sites that may have gotten attention for political reasons.
Some Pins Are Better Than Others
In practice, there are objectively better choices on what you pin. For example, pinning a leaf certificate (those are the certificates issued to specific domains, like the certificate for “wikipedia.org”) is not a very good choice. That’s because there are a number of situations where you may want, or need, to change your leaf, and some of these situations may be unpredictable or out of your control.
Returning to our example above about Wikipedia.org; if they had pinned that leaf and then suffered key compromise, they would be in trouble. Remember that pinning is done with a specific identity (be it a certificate, public key, etc, as discussed before). So even if they got another leaf certificate from the same vendor (and it used the same key pair), pinning would view that as the wrong identity.
Pinning an intermediate certificate gives you more flexibility. If we pinned an intermediate certificate instead of our leaf, we would be able to switch out our leaf with another leaf from that same intermediate. But, if we were using a public CA, they may change their infrastructure without telling us. So when we renew our certificate the next year, we may get a leaf issued from a different intermediate. So that choice has its own unique downsides.
You can choose to pin multiple identities and back-ups in order to reduce the chance of problems. But pinning best practices are a complicated topic we won’t broach here. Just know that there you should make deliberate choices about what you choose to pin.
In a follow-up post, we will talk about HPKP, an implementation of pinning for use on the internet. The specifics of HPKP work a bit differently – but it’s conceptually similar. We will talk about the pros and cons, and why you may be better off not pinning at all.