Hacker Read

tptacek · 2015-03-23 23:19:37+00:00

That's part of the point of certificate pinning.

dotancohen | karma 9525 | avg karma 1.72 · | 2023-08-14 12:10:33

How does that work with certificate pinning?

saurik | karma 31936 | avg karma 4.3 · | 2020-11-17 13:06:36

This is prevented by certificate pinning.

mr_toad | karma 5817 | avg karma 1.71 · | 2022-09-30 20:16:07

That might be because of certificate transparency rather than certificate pinning.

semiquaver | karma 3355 | avg karma 6.19 · | 2024-03-27 05:04:49

Certificate pinning would defeat this. Bake it into your app that you only trust a specific certificate regardless of what is in the system trust store.

saagarjha | karma 56017 | avg karma 2.29 · | 2018-03-28 04:27:53+00:00

Certificate pinning is inherently security by obscurity; it's intended as an annoyance for anyone trying to reverse-engineer the service, rather than an insurmountable barrier.

matheusmoreira | karma 22085 | avg karma 2.63 · | 2020-05-10 23:38:50+00:00

Can certificate pinning be defeated?

martinald | karma 4452 | avg karma 3.22 · | 2016-02-18 21:09:38+00:00

Certificate pinning is easy to defeat.

rektide | karma 9514 | avg karma 1.5 · | 2023-05-08 16:41:36

Certificate pinning is one of the most user-hostile security inventions we've created. It makes it so hard to get access to the traffic coming out of your own device, which heavens, seems like such an elementary ask.

jmgrosen | karma 911 | avg karma 3.8 · | 2014-07-21 23:26:03+00:00

Hm, do you know how? I'd guess certificate pinning, which would be rather prudent of them, but I'm not sure.

TheLoneWolfling | karma 1750 | avg karma 1.05 · | 2014-12-03 21:13:47+00:00

Certificate pinning helps, although it obviously doesn't prevent an attack against something you haven't seen before.

dzhiurgis | karma 3122 | avg karma 0.65 · | 2016-11-13 10:33:55+00:00

Certificate pinning is gaining popularity e?f?f?e?c?t?i?v?e?l?y? somewhat thwarting MITM attacks.

ec109685 | karma 5793 | avg karma 1.8 · | 2019-03-10 22:24:08+00:00

With certificate pinning, that is not a high risk.

rosndo | karma 953 | avg karma 1.02 · | 2022-04-20 17:10:35

I already addressed this in the very comment you were replying to, certificate pinning is very easy to defeat with public tools.

leni536 | karma 3944 | avg karma 2.53 · | 2018-03-08 08:08:35+00:00

I don't think so. Certificate pinning protects from rouge CAs.

heyoni | karma 1801 | avg karma 1.85 · | 2020-09-11 21:05:27

And this can be used to defeat certificate pinning?

choko | karma 649 | avg karma 2.11 · | 2022-09-09 13:21:22

There is not a solid consensus on cert pinning, and for good reason.

https://www.digicert.com/blog/certificate-pinning-what-is-ce...

reply

capableweb | karma 37790 | avg karma 4.15 · | 2020-11-01 16:35:57+00:00

Think there are a few tools for getting around the certificate pinning, projects like sensepost/objection

p410n3 | karma 630 | avg karma 4.53 · | 2020-12-18 15:22:41+00:00

In security, certificate pinning is a good practice because it defends against, who guessed it, MITM.

throwaway2048 | karma 9048 | avg karma 2.51 · | 2018-11-05 22:47:49+00:00

Not if you control CAs. Cert pinning only works in a limited amount of cases, and certificate transparency only works with CAs who have agreed to implement them (Which is not the vast majority).