Member-only story
SSL Pinning: Is it really secures us from MITM attacks ?
Introduction
It is true that the majority of organizations in today’s world implement or use the infrastructure that is protected by a great deal of security best practises such as encryption of data while it is both at rest and in transit, as well as other security best practises such as two-factor authentication and more; however, it is uncertain how effective these safeguards actually are. It indicates that there are security flaws, such as if the website can still be visited through http or if the client has an invalid certificate installed on their machine, either of which can allow an adversary to eavesdrop on the communication and read encrypted data. Therefore, SSL pinning came into being in order to solve these security weaknesses.
The pinning procedure ensures that all of the data that is transferred from browser to server retains its integrity and that only authorised users are able to access that data. Pinning is often referred to as pinning with an SSL Certificate. Now that we have established why it is helpful, let’s go over the specifics of how it protects us from our adversaries.
What is SSL Pinning
The SSL handshake takes place whenever communication begins between a client and a server, which in turn initiates the beginning of the encryption process with the client’s contact with the server. This certificate contains information that has been signed by a certificate authority, which makes it simple for the client to trust the server and its certificate. On the other hand, certificates can sometimes be self-signed, which means that the client cannot determine who issued this certificate and may not be able to confirm its identity. This appears to be the case most frequently with android devices. Certificate validation helps fix the problem in some way, however if MITM or DNS poisoning occurs, this solution won’t be very effective in solving the problem. Pinning is initiated in order to fix the problem that occurs as a result of the certificate validation.