[Owasp-leaders] Certificate pinning - what do you think?

Mike Goodwin mike.goodwin at owasp.org
Thu Nov 5 11:22:34 UTC 2015


Hello all,

I'm looking for some advice on certificate pinning. At first, I thought it
was a good idea, but now I'm having second thoughts about it. The OWASP
guidance on it is here:

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

In the "when do you pin?" section on that page it gives strong guidance:

*"You should pin anytime you want to be relatively certain of the remote
host's identity or when operating in a hostile environment. Since one or
both are almost always true, you should probably pin all the time."*

However, I am concerned about the practical, operational aspects of this.
If you have to change your server certificate in a hurry, say because you
think it has been compromised, or maybe just because someone who has had
access to your private key is leaving your organisation, how do you do this
without disabling all your clients.

I get that your client can store a list of pinned certificates, not just
one, but this only works in planned scenarios such as routine certificate
expiry. I don't see how it helps in "emergency situations". And even in
planned situations, if it is not quick and easy to update all client
applications, then you might still end up with clients unable to connect.

So we will end up making a choice between keeping a compromised certificate
and locking out valid users.

Overall, I am worried that in a real world setting, pinning will do more
harm than good.

Any expert opinions would be very welcome!

Best regards,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151105/6a3a46af/attachment.html>


More information about the OWASP-Leaders mailing list