What is certificate pinning?

Q: What is certificate pinning?

Certificate pinning is a technique where a client application hardcodes (pins) the expected server certificate or public key, rejecting any other certificate — even a valid one signed by a trusted CA. This prevents MITM attacks where an attacker uses a certificate from a different (but trusted) CA. Two types: Certificate pinning: pins the exact certificate (must update the app every renewal). Public key pinning: pins the public key (more flexible — key can be in new certificates without chan

Answer

Certificate pinning is a technique where a client application hardcodes (pins) the expected server certificate or public key, rejecting any other certificate — even a valid one signed by a trusted CA. This prevents MITM attacks where an attacker uses a certificate from a different (but trusted) CA. Two types: Certificate pinning: pins the exact certificate (must update the app every renewal). Public key pinning: pins the public key (more flexible — key can be in new certificates without changing the pin). Implementation: in mobile apps (Android TrustKit, iOS NSURLSession), in HTTP clients (OkHttp's CertificatePinner). HPKP (HTTP Public Key Pinning) was a web standard but was deprecated due to catastrophic failure risk (if pinned incorrectly, the site becomes permanently inaccessible). Certificate pinning is recommended for high-security mobile apps (banking, healthcare) but requires a robust pin update mechanism and backup pins.

Answer

More Cybersecurity / Web Security Questions