TLS/SSL Certificate Pinning Explained
Vložit
- čas přidán 12. 06. 2024
- A lot of mobile applications employs this technique of SSL and TLS Pinning where they fix the hash of the certificate or the public key in the app it self for more security. What is TLS or SSL Certificate Pinning? What do we need it ? We discuss in this video
0:00 Intro
1:30 How Certificate Validation Work?
3:30 Problems with Certificate Validation
5:50 TLS/SSL Certificate Pinning
10:00 Pros & Cons
🏭 Backend Engineering Videos
• Backend Engineering (B...
💾 Database Engineering Videos
• Database Engineering
🛰 Network Engineering Videos
• Network Engineering
🏰 Load Balancing and Proxies Videos
• Proxies
🐘 Postgres Videos
• PostgresSQL
🚢Docker
• Docker
🧮 Programming Pattern Videos
• Programming Patterns
🛡 Web Security Videos
• Web Security
🦠 HTTP Videos
• HTTP
🐍 Python Videos
• Python by Example
🔆 Javascript Videos
• Javascript by Example
👾Discord Server / discord
Become a Member
/ @hnasr
Support me on PayPal
bit.ly/33ENps4
Become a Patreon
/ hnasr
Stay Awesome,
Hussein - Věda a technologie
i cracked my interview with this explanation..thanks a lot
👏👏
You all prolly dont give a shit but does anyone know a method to get back into an instagram account?
I stupidly forgot my password. I would appreciate any help you can offer me.
Easy and helpful. Thanks a ton, Hussein Sir. Learning these types of things never been that easy.
Great and clear explanation! Thank you
thank you for accommodating the request
Thank you, now I completely understood it
Great explanation as always man
Short and sweet. Thanks
Hussein, you are great.
Thanx man this was very helpful to me ☺️☺️
Hi Hussein, nice explanation. But as you mentioned there may be a dynamic set of domains. Is there an alternative for this situation? There is an approach called Certificate Transparency - CT, could you make a video about that?
thanks, nice and clear explanation
This was a great great great explanation!
Glad you enjoyed it!
awesome.. tnx
Hi, Thanks for explaining...is there any way of doing the SSL pinning using which we can make changes in server-side only without making any changes in the app..so that we don't need to release the app with the new certificate on the store when the certificate is expired?
Why are you explaining it so long.. it’s actually very simple
Hi, I didn't quite get what you meant by recompiling the source after adding an entry of the certificate hash. I assume you mean adding/removing key value pairs in the store?
Hi Hussein! Maybe you can do a follow-up on public key pinning and certificate transparency. Seems like most certificate pinning libraries set a hash of the Subject Public Key Info. (It wasn't clear to me if the CA key is pinned sometimes.) While watching your video I was going to comment on pinning a certificate that expires in a month, but you mentioned it. Pinning the key hash solves that. I guess some apps have some side channel to update the pinned key hashes.
Carl Hage thanks Carl! Yes I think there are multiple ways of tackling this. Pinning the hash of the public key seems to be the least disruptive..
super video. when did tls pinning become popular for authentication between servers?
Hussein you are the saviour man... I was trying to explore on this. Wasted few days to understand. But your explanation cleared my every single doubt ... 😂
❤️❤️
Thank you
In the case of DNS poisoning, the malicious websites can still serve the public key certificate from the original website (because is public) but you still need to have the private key to decrypt the traffic, so how it’s gonna work?
You either hack the original server and steal the private key from there or you have to trick a certificate authority so they issue you a new valid key pair certificate trusted by the clients, on both cases there’s no need for dns poisonings at this point. Is there something in missing?
😂😂😂.. I love ur content and how funny you are
Cloudflare ssl gets renewed after 3 months, so every 3 months i need to get updated the apk with new hash, does it has any solution
And I ended up subscribing too
Hi Hussein, for mobile applications which have a specific endpoint(domain) to connect to, it is clear that ssl pinning would have the request secure. Is there any way that the request is seen by man in the middle and if so, could they get the details of the pinned certificate?
A man in the middle won't see the content of the traffic, heck it will fail at the handshake as the client will reject the certificate it tries to spoof. You can make an educated guess as to why it failed (aka the application uses cert pinning) - the only thing you will see is the URL/ domain it tried connecting to
On android it puts you into a full lockdown as soon as you connect to a man in the middle router, atleast on android 12 (gives notification saying connection functionality is limited or something)
I truly love your explainantion. but somehow i feel lalo salamanca is talking :D
a request - can you do a video on history of security techniques (tls / kubernetes / openssl) with options applicable for different type of projects e-commerce / bank/mobile app etc
basically wanted to have a primer of history of security techniques and current landscape
great video! I have one question though - what happens when the pinned certificate expires?
Great question! Let's take the example of the mobile application connecting to known domain servers as pointed in the video at the end. So, the android developer has the option of pinning the low level domain cert which might have validity of one year or the CA one which might have a validity of 3-5 years. Let's say they pin the domain certificate which has 1 yr validity. Now, before the cert expires, at the mobile end, they shall chain the old cert and new cert and provide an update to the application. This way, when the server undergoes the cert change there would not be any bad experience for the customer using the mobile application. The problem would only appear if the automatic updates are turned off. Also, usually this is controlled by minimum version support of the application, which would thereby mandate the user to update the application to use it further.
what if at the very first time of client SSL/TLS session to server, there is a man-in-the-middle who pretend to be the server? will the client be cheated?
I think that might only happen in the extreme case of dns poisoning. Otherwise, your browser will catch if the digital signature sent from the server is valid or not.
❤️
Wouldn't the client verify the domain in the shady certificate it received back and reject if it s not the same as the one requested?
Gautham R the shady certificate will have the same domain requested by the client its just signed by a shady CA
Hussein Nasser Thanks a lot. That makes sense.
great explanation, but considered a bad practice these days. If certificates need to be updated because it was spoofed, expired or simply needs rotation which is mandatory for compliance with regulations, this can't be done with the agility that is necessary. Also, important to say that HPKP is now deprecated.
Good video, but these days, an attacker can't just serve you a "shady" cert. You (the user) will need to accept the "injected" cert/root and then import it and go on with the app flow... If users simply accept an injected cert and authority, we have all failed. But yeah, it's technically possible, but not without the acceptance -> just like when using Burp on your local machine to proxy the flow. Your browser won't simply enable comms, the certs and root have to be injected. Cheers.
Fail ..haiinn,
hhhhhhh, "my pins are the worse"
The Indian tutorial told me ssl pinning means “uh er uh uh” holy fuck thank u