Tag Archive for: pinning

Chrome Supports Key Pinning on Android to Improve Security

/in


Key pinning, a technique used to prevent an attacker from tricking a vulnerable certificate authority (CA) into issuing an apparently valid certificate for a server, is now used in Chrome for Android, version 106. This helps preventing man-in-the-middle attacks against Google services.

As Chrome security engineers David Adrian, Joe DeBlasio, and Carlos Joan Rafael Ibarra Lopez explain, key pinning was devised at Google as a response to real attacks seen in the wild, specifically an attack that targeted Google services in 2011.

Key pinning was born as an extension to the HTTP protocol, later deprecated, that enabled sending an HTTP header that tells user agents to “pin” cryptographic identities over a period of time.

During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host.

This effectively reduces the number of CAs that can authenticate the domain while the identity is pinned. While effective, key pinning has its own drawbacks. For example, if pins get out of date, there’s a risk of locking users out of a service, which leads to a number of good practices:

Whenever pinning, it’s important to have safety-valves such as not enforcing pinning (i.e. failing open) when the pins haven’t been updated recently, including a “backup” key pin, and having fallback mechanisms for bootstrapping.

These mechanisms are hard for individual sites to manage, say Google engineers, which, as mentioned, led to the RFC being deprecated. As a matter of fact, Google removed public key pinning from Chrome in 2017. But key pinning may still have its own use cases, including web browsers, automatic software updates, and package managers, where client and server are operated by the same entity.

Specifically, in Google’s case, thanks to the control that the company has on its browser, Chrome embeds pinned certificates (pins) for all Google properties. This means every HTTPS access is only authenticated through a key belonging to the embedded set of pins.

To fully understand what role key pinning plays into Chrome…

Source…

Is Certificate Pinning Worth it?

/in


Pinning concept; overhead view of yellow and white push pins on a blue background

In a word – yes; when implemented correctly, certificate pinning is an effective method for securing mobile application traffic by restricting the accepted certificates to just those you are willing to trust. In its most secure manifestation, this trust sits outside the standard TLS certificate store managed by the device.

We’ve written extensively on the topic of certificate pinning and at the end of this article you’ll find links to more in-depth articles as well as a handy free tool for auto generating pinning configurations.

How does TLS protect the mobile channel?

TLS enables two parties to communicate securely using Public Key Infrastructure (PKI) and Certificate Authorities. With PKI a mobile app can check the validity of the backend server using certificates through a trusted third party (the Certificate Authority). A list of trusted certificates is held by the device in order to verify the identity of valid servers. 

The API channel between mobile applications and their backend servers is an increasingly common attack vector due to the rapid growth in mobile app usage. TLS alone is not enough to protect this channel  – it can be intercepted and manipulated.

If an attacker is able to modify the set of trusted device certificates, directly or via a device vulnerability, or fraudulently obtain a trusted certificate for the target domain, then a MitM attack is still possible.

A MitM attacker can intercept the encrypted traffic and trick the mobile app into thinking it is communicating with a valid backend server. The attacker is then able to modify or manipulate the traffic and transmit it back along the encrypted channel to the backend service.

Approov diagram showing Man in the Middle attack

What is certificate pinning and how does it prevent MitM attacks?

Certificate pinning replaces dependence on the device’s set of certificates with a set of certificates known and trusted by the app itself. For static pinning, the set of certificates trusted by the app (the pins) are distributed with the app itself. Updates to the permitted pins need to be distributed via a new version of the app. 

However, given how slow end users can be to install updates, there is a risk that the app will no longer function…

Source…

Certificate pinning – first for websites, now for software?

/in

You may have heard of certificate pinning. Microsoft is looking at applying the technology to signed software. Have a listen as Patrick Gray, host of the renowned Risky Business security podcast, discusses the issue with Naked Security’s Paul Ducklin.
Naked Security – Sophos