We have studied CAs and CT logs, but the fundamental problem remains: if a CA is compromised, they can issue a valid certificate for any domain. Certificate Pinning is the 'nuclear option' of trust. Instead of trusting *any* CA, the client is told to trust *only* one specific public key.
HTTP Public Key Pinning (HPKP) was a header that allowed a website to tell the browser: 'For the next X months, only trust certificates that contain this specific public key.' This effectively neutralized rogue CAs. However, it was too dangerous. If a site lost its private key and didn't have a backup pin, the site became permanently inaccessible to all users.
๐ก This is known as 'Brick-ing' the site. Because the browser refuses to connect to any key other than the pinned one, a lost key meant a lost business.
# DEPRECATED: The old HPKP header
Public-Key-Pins: pin-sha256="jcmUuS...="; max-age=5184000; includeSubDomainsDue to the risk of accidental self-denial of service, HPKP was deprecated in favor of Certificate Transparency (CT) and other more flexible mechanisms.
While pinning is dead for browsers, it is still very much alive in mobile applications. Apps can 'hardcode' the server's public key into the binary. When the app connects to its API, it checks the server's certificate against the hardcoded key. If they don't match, the app kills the connection immediately.
โ ๏ธ Hardcoding pins can lead to 'App Store Death'. If you rotate your server certificate but forget to update the app binary, the app will stop working for all users until they update through the app store.
| Method | Target | Pros | Cons |
|---|---|---|---|
| HPKP | Web Browsers | Immune to Rogue CAs | High risk of site bricking |
| Static Pinning | Mobile Apps | Extremely Secure | Update required for cert rotation |
| Expect-CT | Web Browsers | Auditable | Doesn't prevent MitM entirely |
| CAA Records | DNS | Prevents unauthorized CA issuance | Not a client-side check |
Certification Authority Authorization (CAA) is a DNS record that tells the world: 'Only Let's Encrypt is allowed to issue certificates for this domain.' When a CA receives a request for a certificate, they are required to check the CAA record. If they aren't listed, they must refuse to issue the certificate.
# DNS CAA Record: Only allow letsencrypt.org to issue certs
0 IN CAA "0 issue "letsencrypt.org"If you use pinning in a mobile app, always include a 'Backup Pin'โa second public key for a certificate that is kept in a secure vault and only used if the primary key is compromised.
Verify exercises to earn โ 150 XP and unlock next lab level.