" Use SSL pinning for making network calls secure."
Before we talk about SSL pinning, we need to discuss a secure web connection.
Secure web connection
A secure connection is a connection that is encrypted by one or more security protocols(like SSL and TLS, IPSec and VPNs, Kerberos, OSPF authentication) to ensure the security of data flowing between two or more nodes. But, what would happen if the connection is not secure?
When a connection is not encrypted, it can be easily listened to by anyone with the knowledge on how to do it and also prone to threats by malicious software. Anyone who wants to get information from a non-secured connection can do so since they can easily go through, in and out of computer’s network taking with them important data such as login, passwords and other private information. A man-in-the-middle attack is one of the most common cyber attacks. A MitM attack occurs when a hacker inserts itself between the communications of a client and a server.
Here are some common types of man-in-the-middle attacks:
In this type of MitM attack, an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client. For instance, the attack might unfold like this:
When a client application begins a secure session with a server, there are three things the client and server must agree on.
The server may use any of the following encryption algorithms to exchange keys, encrypt data and to authenticate messages.
Now, to make a secure connection, we must use the HTTPS protocol.
HTTPS is the secure version of HTTP(a protocol used between client and server). The ‘S’ at the end of HTTPS stands for “secure” technically it refers to HTTP over SSL(secure sockets layer).
HTTPS emphasize all communications between your client and server are encrypted. Behind HTTPS, SSL certificate plays an important role in building trust server and client. By definition, an SSL certificate is a server’s digital certificate, issued by a third party, and verifies the identity of the web server and its public key.
A digital signature is equivalent to a handwritten signature. It is an electronic verification of the sender. A digital signature serves three purposes.
There are three types if SSL pinning :