What is SSL Pinning?

SSL, the Hypertext Transfer Protocol, is one of the two chief protocols that are used to transmit secure data from one computer to another. SSL is used for transmitting sensitive personal and financial information online and ensures the safety of this information by encrypting them.

How is this done? There are two ways to accomplish SSL pinning. One way is called certificate pinning, where the client computers that have already received an SSL certificate have a special padlock icon next to the padlock in the lower right-hand corner of their screen, denoting that they have been treated with protection against man-in-the-middle attacks.

SSL Pinning
SSL Pinning

The second way is for browsers to communicate directly with servers that have SSL certificates, so that the web page being requested would have received an SSL certificate, indicating that this server has assured that only legitimate SSL certificates would be permitted to connect.

The concept of SSL pinning first became public in September 2021, when Google released the Chrome browser. The company made this move in response to increasing security concerns surrounding the spread of spyware and other potentially harmful programs. With SSL pinning, webmasters can ensure that only they and their customers have access to a site. This helps prevent casual attacks on sites that could easily compromise a business’s or a person’s online security. For example, a person could easily install a virus into a computer that has an SSL certificate, so that if anyone were to see the padlock icon, they would think that the site was protected and safe.

SSL/TLS enables organizations to use external authentication and encryption to verify the identity of the website’s client before sharing sensitive data over the Internet. It makes it impossible for a hacker to use another person’s valid certificate as an authenticator. With SSL pinning, web developers and web masters can make it possible for anyone to visit a site and enter information, but when that information leaves the site, the certificate will change and prevent third parties from gaining access to it. A website with an SSL certificate will appear as a trusted resource by the system. When a user visits the site, they will be asked to enter this information and the website will then make it possible for the user to access the secure portion of the site.

The process of SSL pinning involves two different operations. First, the application requesting the new digital certificate needs to verify the authenticity of the server certificate. If it has a matching signature from an authentic Certificate Authority (CA), then the server certificate is considered trustworthy and the website will be able to access the pin area, which contains the private key. Second, once the website owner receives the final verification that the server certificate is trustworthy, they will update their web server certificate file. This new file will have the lock pin, not the pin pattern, and will replace the old public key certificate file.

There are two ways how websites can acquire SSL pinning protection. First, the website owner can generate their own public key and have it added to the set pin list of Certificate Authorities. The advantage of this is that the CA will validate that the public key belongs to the owner. Secondly, the website owner can purchase a pin list from a Certificate authority and have this list updated to all of their servers.

How do you determine what option is best for you? Consider your site’s audience, maintenance, budget, and frequency of page loads. If you have a low-traffic, low-maintenance site, then both options are fine. If you want to get high performance, frequent updates, and better security, then a hosted Certificate service is your best option. On the other hand, if your site is used to distribute confidential information or financial transaction data, then you would be better off with the two options discussed above.

The use of SSL pinning in the Android web applications and services was first introduced to the world during the Android 2.3 release. This security feature is implemented as an additional security layer over the HTTP protocol and serves as a response encryption method for users that access the internet from a smartphone. Users may use a smart phone to surf the web, but there are always inherent risks. This is why Google created the additional security that is pinning provides.

Today, it is not difficult to find reputable and established certificate authorities that offer SSL pinning services. In fact, you can request an application that generates your own public key, as well. The two options should be considered when you are choosing how to secure your android apps. Although it is not a popular solution for mobile device security, it is still a viable one. That is why it is wise to request your certificate from a trusted and established provider.

Call Now