SSL Pinning: What It Is and When to Use It
What Is SSL Pinning?
SSL pinning (also called certificate pinning or public key pinning) is a security technique where an application is configured to accept only specific certificates or public keys when connecting to a server, rather than trusting any certificate signed by a trusted Certificate Authority (CA).
In standard TLS, trust is hierarchical: your browser or operating system trusts a set of root CAs (~150 on most systems), and any certificate signed by these CAs (or their intermediates) is accepted. This is convenient but creates a large attack surface. If any single CA is compromised, attackers can issue valid certificates for any domain.
Pinning reduces this attack surface by hardcoding the expected certificate or public key into the application. If the server presents a different certificate — even one signed by a trusted CA — the connection is refused.
Why Pinning Exists
The standard CA trust model has known weaknesses:
- CA compromise — in 2011, DigiNotar was breached, and fraudulent certificates were issued for Google, Yahoo, Mozilla, and others. Attackers used them for man-in-the-middle attacks against Iranian users
- Government coercion — state actors can compel CAs within their jurisdiction to issue certificates for surveillance purposes
- Misissuance — CAs have accidentally issued certificates to unauthorized parties (Symantec incidents, 2015–2017)
- Corporate proxies — companies install root CAs on employee devices to intercept and inspect SSL/TLS проверку traffic
Pinning protects against all of these scenarios by making the application independently verify the server's identity, regardless of the CA chain.
What Can Be Pinned
There are several pinning strategies, each with different trade-offs:
| Pin Target | What Is Pinned | Flexibility | Security |
|---|---|---|---|
| Leaf certificate | Exact server certificate | Low — breaks on every renewal | Highest |
| Public key | Server's public key (SPKI hash) | Medium — survives certificate renewal if key is reused | High |
| Intermediate CA | Issuing CA's certificate | High — any certificate from that CA works | Medium |
| Root CA | Root CA's certificate | Highest — any chain to that root works | Lowest (of pinning options) |
Public key pinning is the most common choice — it provides strong security while surviving certificate renewals, as long as you generate new certificates with the same key pair or pin backup keys.
Implementation Methods
HTTP Public Key Pinning (HPKP) — Deprecated
HPKP was a browser-based pinning mechanism via HTTP headers:
Public-Key-Pins:
pin-sha256="base64+primary==";
pin-sha256="base64+backup==";
max-age=5184000;
includeSubDomains;
report-uri="https://example.com/hpkp-report"HPKP was deprecated in 2018 and removed from Chrome 72. The reasons: risk of bricking websites if pins were misconfigured (permanent denial of service), difficulty of key rotation, and the rise of Certificate Transparency as an alternative.
Mobile App Pinning
Pinning is most common in mobile applications where you control the client:
// Android — OkHttp certificate pinning
CertificatePinner pinner = new CertificatePinner.Builder()
.add("api.example.com",
"sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.add("api.example.com",
"sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=") // backup
.build();
OkHttpClient client = new OkHttpClient.Builder()
.certificatePinner(pinner)
.build();// iOS — URLSession with pinning delegate
func urlSession(_ session: URLSession,
didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
guard let serverTrust = challenge.protectionSpace.serverTrust,
let certificate = SecTrustGetCertificateAtChain(serverTrust, 0) else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
let serverKey = SecCertificateCopyKey(certificate)
// Compare with pinned key hash...
}Certificate Transparency (CT) as Alternative
Certificate Transparency requires CAs to log every issued certificate to public, auditable logs. Browsers verify that certificates appear in CT logs. This does not prevent misissuance but makes it detectable — any fraudulent certificate becomes publicly visible. Since 2018, Chrome requires all new certificates to be CT-logged.
When to Use Pinning
Pinning is appropriate when:
- Mobile apps communicating with your own API документацию — you control both the client and server, and can coordinate key rotation
- High-security applications — banking, healthcare, government systems where MITM attacks are a realistic threat
- IoT devices — embedded systems connecting to specific servers
- Internal services — service-to-service communication within your infrastructure (mutual TLS with pinning)
Pinning is generally NOT appropriate for:
- Public websites — you cannot control what certificates users accept. HPKP was deprecated for this reason
- Applications connecting to third-party APIs — you cannot predict when they will rotate certificates
- Situations where you lack operational maturity for key management — pinning the wrong key or failing to rotate can cause total outages
Risks and Pitfalls
- Bricking — if pinned certificates expire and backup pins are not configured, the app cannot connect. For mobile apps, this requires an app store update — potentially days of downtime
- Key rotation complexity — you must pin at least two keys (primary + backup) and have a rotation plan before the current key expires
- Debugging difficulty — pinning failures look like generic TLS errors. Add proper error messages and reporting
- CDN and proxy conflicts — CDNs like Cloudflare terminate TLS with their own certificates. Pinning to your origin certificate will break if traffic routes through the CDN
- Bypass by rooted devices — on rooted/jailbroken devices, attackers can disable pinning with tools like Frida or Objection. Pinning is defense in depth, not absolute protection
Best Practices
- Pin the public key (SPKI hash), not the full certificate — survives renewals
- Always include at least one backup pin from a different CA
- Implement pin failure reporting to detect issues before they become outages
- Plan key rotation before deploying pinning — test the rotation process
- Use Certificate Transparency monitoring alongside or instead of pinning for web properties
- Monitor your domain with tools like Enterno.io to detect certificate changes and expiry before they affect pinned clients
- For mobile apps, consider a remote configuration mechanism to update pins without app updates
Conclusion
SSL pinning is a powerful security technique that narrows the trust model beyond CA hierarchies. It is most effective for mobile apps and internal services where you control both endpoints. However, it introduces operational complexity — misconfigured pins can cause outages worse than the attacks they prevent. Use pinning when the threat model justifies it, always pin backup keys, and combine with Certificate Transparency monitoring for comprehensive certificate security.
Check your website right now
Check now →