SSL Pinning

By StartxLabs
Date 22-05-19
SSL Pinning
" Use SSL pinning for making network calls secure."

 

Before we talk about SSL pinning, we need to discuss a secure web connection.

 

Secure web connection

A secure connection is a connection that is encrypted by one or more security protocols(like SSL and TLS, IPSec and VPNs, Kerberos, OSPF authentication) to ensure the security of data flowing between two or more nodes. But, what would happen if the connection is not secure?

When a connection is not encrypted, it can be easily listened to by anyone with the knowledge on how to do it and also prone to threats by malicious software. Anyone who wants to get information from a non-secured connection can do so since they can easily go through, in and out of computer’s network taking with them important data such as login, passwords and other private information. A man-in-the-middle attack is one of the most common cyber attacks. A MitM attack occurs when a hacker inserts itself between the communications of a client and a server.

 

Here are some common types of man-in-the-middle attacks:

 

Session hijacking

In this type of MitM attack, an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client. For instance, the attack might unfold like this:

  • A client connects to a server.
  • The attacker’s computer gains control of the client.
  • The attacker ‘s computer disconnects the client from the server.
  • The attacker’s computer replaces the client’s IP address with its own IP address and spoofs the client’s sequence numbers.
  • The attacker’s computer continues to dialogue with the server and the server believes it is still communicating with the client.
  • Denial-of-service(DOS) and distributed denial-of-service(DDOS) attacks. Denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests.

 

When a client application begins a secure session with a server, there are three things the client and server must agree on.

  • How the keys will be exchanged?
  • How data will be encrypted?
  • How the messages will be marked as authenticated?

 

The server may use any of the following encryption algorithms to exchange keys, encrypt data and to authenticate messages.

  • Triple DES
  • RSA
  • Blowfish
  • Twofish
  • AES
  •  SHA-1

 

Now, to make a secure connection, we must use the HTTPS protocol.

HTTPS is the secure version of HTTP(a protocol used between client and server). The ‘S’ at the end of HTTPS stands for “secure” technically it refers to HTTP over SSL(secure sockets layer).

HTTPS emphasize all communications between your client and server are encrypted. Behind HTTPS, SSL certificate plays an important role in building trust server and client. By definition, an SSL certificate is a server’s digital certificate, issued by a third party, and verifies the identity of the web server and its public key.

 

A digital signature is equivalent to a handwritten signature. It is an electronic verification of the sender. A digital signature serves three purposes.

  • Authentication: A digital signature gives the receiver reason to believe the message was created and sent by the claimed sender.
  • Non — repudiation: With digital signature, the sender can not deny having sent the message later on.
  • Integrity: A digital signature ensures that the message was not altered in transit.

 

There are three types if SSL pinning :

  • Public key pinning
  • Certificate Pinning
  • SPKI pinning

 

"We transform your idea into reality, reach out to us to discuss it. or wanna join our cool team ping us at [email protected] or apply directly"

subscribe to startxlabs

startxlabs