Get started Bring yourself up to speed with our introductory content.

How certificate pinning improves certificate authority security

Certificate pinning reduces reliance on trusting certificates authorities and improves digital certificate trustworthiness. Michael Cobb explains how.

I saw that Microsoft is going to include something called certificate pinning in version 4.0 of its EMET tool....

EMET is already in use at my company, but I'm curious if you could describe what certificate pinning is and the potential benefits? And how can we use EMET for certificate pinning?

Ask the Expert

SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)

When communicating over public networks such as the Internet, it is essential to send and receive information securely. The main protocol used to secure these communications is SSL/TLS, which uses digital certificates to provide authentication and encryption. For example, the public key in a Web server's certificate is used to encrypt traffic to the site while the certificate identifies who owns the site. To trust that a certificate is genuine and valid, it is digitally signed by a root certificate belonging to a trusted certificate authority (CA). Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify certificates that the CAs have issued and signed.

However, this chain or hierarchy of trust is not foolproof because it relies on trusting others -- a risky thing to do nowadays. Hackers have broken into various CA networks -- DigiNotar and Comodo, for example -- and signed bogus digital certificates in the names of major players such Facebook Inc., Twitter Inc., Microsoft, Mozilla Corp., Yahoo Inc., and Google Inc.

Protocols that rely on certificate chain verification -- such as VPN and SSL/TLS -- are vulnerable to a number of dangerous attacks, including SSL man-in-the-middle attacks. Once users no longer trust one certificate signed by a compromised CA, all certificates issued and signed by that CA must be considered compromised.

Certificate pinning is a framework that can reduce reliance on trusting others when making security decisions relating to an identity. Pinning leverages knowledge of a pre-existing relationship between an application and an organization or service with an "expected" digital certificate or public key -- an independent whitelist of what a certificate or key is supposed to look like. This works similarly to the well-established Secure Socket Shell (SSH)'s StrictHostKeyChecking option, directly identifying a host or service by its public key and removing the need to rely on third-party verification. Pinning is backwards-compatible with existing CA certificates and doesn't require sites to modify existing certificate chains.

Currently, the Android Twitter client includes certificate pinning. Google's Chrome browser pins the certificates for Google sites, therefore only trusting specific certificates signed by the Google Internet Authority.

Because certificate pinning provides a layer of defense against man-in-the-middle attacks that use forged certificates, Microsoft has introduced certificate pinning in the latest version of its EMET protection tool. Called Certificate Trust, this feature is enabled by default in Internet Explorer to enforce certificate pinning protection and includes a set of preconfigured domains used by Microsoft online services. Users can manually specify which certificates and root CAs to trust, as well as opt in other executables for certificate pinning features, such as other browsers.

While it does require extra work for administrators -- maintaining any sort of whitelist can be a time-consuming task -- it is highly beneficial. It is also well worth installing the latest version of EMET as it includes protection against some techniques and calls to banned application programming interfaces that bypass previous versions of the toolkit.

This was last published in October 2013

Dig Deeper on Web authentication and access control