Contents
🔐 What Is Certificate Pinning?
Certificate pinning is a security technique that helps prevent man-in-the-middle (MITM) attacks by associating a service (like a website or mobile app) with a specific SSL/TLS certificate or public key.
Instead of trusting any certificate issued by a trusted Certificate Authority (CA), the client (browser, app, etc.) “pins” a specific certificate or key. If the presented certificate during a TLS handshake doesn’t match the pinned one, the connection is rejected — even if the certificate is technically valid.
✅ Why Use It?
To protect against scenarios where a CA is compromised or an attacker tricks a CA into issuing a fraudulent certificate for your domain.
Without pinning:
A rogue certificate signed by a trusted CA could be accepted by the client.
With pinning:
The client expects a specific certificate/key and will reject any impostors — even if they appear valid.
🛠️ How Is It Implemented?
- Static Pinning:
Pins are hardcoded into the application (common in mobile apps). - Dynamic Pinning (HPKP – now deprecated):
The server tells the client what certificates to expect in the future via HTTP headers.
📱 Example: Mobile App
A banking app pins its server’s certificate. Even if a hacker sets up a fake Wi-Fi hotspot and tries to intercept traffic with a forged certificate, the app will refuse the connection because the certificate doesn’t match the pinned one.
⚠️ Pros & Cons
Pros:
- Prevents MITM attacks, even with rogue certificates
- Increases trust and integrity of the connection
Cons:
- If the pinned certificate changes (e.g. it expires), and the app isn’t updated, it breaks connectivity
- Can lead to “bricking” apps if not carefully managed
🧩 TL;DR
Certificate pinning = only trusting this exact certificate or public key, not just any from a trusted CA.
It’s like not just checking someone’s passport is real — but making sure it matches exactly the one you know they should have.
Let me know if you’d like examples in code (e.g. Android, iOS, Python, or browser headers).