TLS/SSL Certificate Pinning Explained

Рет қаралды 58,718

Hussein Nasser

Күн бұрын

Пікірлер: 55

@mkc0321 3 жыл бұрын

i cracked my interview with this explanation..thanks a lot

@hnasr 3 жыл бұрын

👏👏

@joelewis9137 3 жыл бұрын

You all prolly dont give a shit but does anyone know a method to get back into an instagram account? I stupidly forgot my password. I would appreciate any help you can offer me.

@jeromemacaspac2792 4 ай бұрын

Hey this video is 4 years ago but still the same and great explanation I am looking for. For anyone having a confusion about the certificate pinning of crowdstrike, this is exactly how it happens.

@Cutecontentsforyou 10 ай бұрын

Why are you explaining it so long.. it’s actually very simple

@MrVipulLal 2 жыл бұрын

Short and sweet. Thanks

@raghuvallikkat3384 4 жыл бұрын

thank you for accommodating the request

@ismailayoub3139 3 жыл бұрын

Great explanation as always man

@asifahmedsourav6355 3 жыл бұрын

Easy and helpful. Thanks a ton, Hussein Sir. Learning these types of things never been that easy.

@thiruvenkatakrishnan4242 Жыл бұрын

Great and clear explanation! Thank you

@rishiprotimbose6167 3 жыл бұрын

Hussein you are the saviour man... I was trying to explore on this. Wasted few days to understand. But your explanation cleared my every single doubt ... 😂

@hnasr 3 жыл бұрын

❤️❤️

@sergeymohov2699 4 жыл бұрын

Hussein, you are great.

@MasterSergius 2 жыл бұрын

Thank you, now I completely understood it

@ch94086 4 жыл бұрын

Hi Hussein! Maybe you can do a follow-up on public key pinning and certificate transparency. Seems like most certificate pinning libraries set a hash of the Subject Public Key Info. (It wasn't clear to me if the CA key is pinned sometimes.) While watching your video I was going to comment on pinning a certificate that expires in a month, but you mentioned it. Pinning the key hash solves that. I guess some apps have some side channel to update the pinned key hashes.

@hnasr 4 жыл бұрын

Carl Hage thanks Carl! Yes I think there are multiple ways of tackling this. Pinning the hash of the public key seems to be the least disruptive..

@d36247 Жыл бұрын

thanks, nice and clear explanation

@Drunkenhead 4 жыл бұрын

Hi Hussein, nice explanation. But as you mentioned there may be a dynamic set of domains. Is there an alternative for this situation? There is an approach called Certificate Transparency - CT, could you make a video about that?

@techmarinar 3 жыл бұрын

Thanx man this was very helpful to me ☺️☺️

@verryondrums 3 жыл бұрын

This was a great great great explanation!

@hnasr 3 жыл бұрын

Glad you enjoyed it!

@lusrinu 4 жыл бұрын

super video. when did tls pinning become popular for authentication between servers?

@godfirstamaka4185 Жыл бұрын

😂😂😂.. I love ur content and how funny you are

@abdulmoizsheikh8031 4 жыл бұрын

Hi, I didn't quite get what you meant by recompiling the source after adding an entry of the certificate hash. I assume you mean adding/removing key value pairs in the store?

@lusrinu 4 жыл бұрын

a request - can you do a video on history of security techniques (tls / kubernetes / openssl) with options applicable for different type of projects e-commerce / bank/mobile app etc

@lusrinu 4 жыл бұрын

basically wanted to have a primer of history of security techniques and current landscape

@pranaychoudhary3253 3 жыл бұрын

great video! I have one question though - what happens when the pinned certificate expires?

@nitinneo7 3 жыл бұрын

Great question! Let's take the example of the mobile application connecting to known domain servers as pointed in the video at the end. So, the android developer has the option of pinning the low level domain cert which might have validity of one year or the CA one which might have a validity of 3-5 years. Let's say they pin the domain certificate which has 1 yr validity. Now, before the cert expires, at the mobile end, they shall chain the old cert and new cert and provide an update to the application. This way, when the server undergoes the cert change there would not be any bad experience for the customer using the mobile application. The problem would only appear if the automatic updates are turned off. Also, usually this is controlled by minimum version support of the application, which would thereby mandate the user to update the application to use it further.

@alevsk 2 жыл бұрын

In the case of DNS poisoning, the malicious websites can still serve the public key certificate from the original website (because is public) but you still need to have the private key to decrypt the traffic, so how it’s gonna work? You either hack the original server and steal the private key from there or you have to trick a certificate authority so they issue you a new valid key pair certificate trusted by the clients, on both cases there’s no need for dns poisonings at this point. Is there something in missing?

@thechirpy_wanderer 3 жыл бұрын

Hi, Thanks for explaining...is there any way of doing the SSL pinning using which we can make changes in server-side only without making any changes in the app..so that we don't need to release the app with the new certificate on the store when the certificate is expired?

@godfirstamaka4185 Жыл бұрын

And I ended up subscribing too

@LtW00dy Жыл бұрын

great explanation, but considered a bad practice these days. If certificates need to be updated because it was spoofed, expired or simply needs rotation which is mandatory for compliance with regulations, this can't be done with the agility that is necessary. Also, important to say that HPKP is now deprecated.

@heetdhuvad9984 10 ай бұрын

Cloudflare ssl gets renewed after 3 months, so every 3 months i need to get updated the apk with new hash, does it has any solution

@cyberrado 7 ай бұрын

I truly love your explainantion. but somehow i feel lalo salamanca is talking :D

@douaasu3931 3 жыл бұрын

Thank you

@ruhankhandakar 4 жыл бұрын

awesome.. tnx

@nitinneo7 3 жыл бұрын

Hi Hussein, for mobile applications which have a specific endpoint(domain) to connect to, it is clear that ssl pinning would have the request secure. Is there any way that the request is seen by man in the middle and if so, could they get the details of the pinned certificate?

@syth-1 2 жыл бұрын

A man in the middle won't see the content of the traffic, heck it will fail at the handshake as the client will reject the certificate it tries to spoof. You can make an educated guess as to why it failed (aka the application uses cert pinning) - the only thing you will see is the URL/ domain it tried connecting to On android it puts you into a full lockdown as soon as you connect to a man in the middle router, atleast on android 12 (gives notification saying connection functionality is limited or something)

@mikexue5104 4 жыл бұрын

what if at the very first time of client SSL/TLS session to server, there is a man-in-the-middle who pretend to be the server? will the client be cheated?

@abdulmoizsheikh8031 4 жыл бұрын

I think that might only happen in the extreme case of dns poisoning. Otherwise, your browser will catch if the digital signature sent from the server is valid or not.

@gauthamr906 4 жыл бұрын

Wouldn't the client verify the domain in the shady certificate it received back and reject if it s not the same as the one requested?

@hnasr 4 жыл бұрын

Gautham R the shady certificate will have the same domain requested by the client its just signed by a shady CA

@gauthamr906 4 жыл бұрын

Hussein Nasser Thanks a lot. That makes sense.

@s8x. 2 ай бұрын

so this happens on the front end javascript? can’t someone change the javascript?

@jayseb Жыл бұрын

Good video, but these days, an attacker can't just serve you a "shady" cert. You (the user) will need to accept the "injected" cert/root and then import it and go on with the app flow... If users simply accept an injected cert and authority, we have all failed. But yeah, it's technically possible, but not without the acceptance -> just like when using Burp on your local machine to proxy the flow. Your browser won't simply enable comms, the certs and root have to be injected. Cheers.