In 2014, security researchers discovered a critical vulnerability in the HSBC mobile banking app for iOS. The app was found to be susceptible to man-in-the-middle (MITM) attacks, allowing attackers to intercept and manipulate sensitive financial information. The root of the problem? The absence of SSL pinning.
Without SSL pinning, the app was vulnerable to accepting any SSL certificate, even a forged one, which enabled attackers to eavesdrop on the communication between the app and HSBC’s servers. This security flaw put users’ banking information at risk and highlighted a significant gap in the app’s security framework.
While HSBC quickly rectified the issue by implementing SSL pinning in subsequent updates, this incident serves as a stark reminder of the importance of this often-overlooked security measure. Especially in applications that handle sensitive data, such as personal information, financial transactions, or medical records, SSL pinning is a critical layer of defense against potential cyber threats.
In this article, we will explore what SSL pinning is, why it is crucial for app security, how it works, and the challenges involved in implementing it effectively.
Why SSL Pinning is Important
The growing threat of MITM attacks has made SSL pinning an essential practice in application security. In a MITM attack, an attacker intercepts the communication between a client and a server, potentially eavesdropping on or manipulating the data being exchanged. Even if SSL is used, attackers can sometimes trick the client into accepting a malicious certificate, allowing them to decrypt and re-encrypt the data as it passes through.
SSL pinning addresses this vulnerability by making it impossible for an attacker to use a forged certificate to impersonate a trusted server. When an app employs SSL pinning, it will only accept the server’s SSL certificate that has been “pinned” or hardcoded into the app. If the certificate does not match, the connection is terminated, preventing the attacker from intercepting the data.
How SSL Pinning Works
SSL pinning works by embedding or “pinning” a server’s SSL certificate or public key within the application. When the application connects to the server, it compares the server’s certificate with the pinned certificate. If the certificates match, the connection is allowed; if they do not, the connection is blocked.
There are two primary methods of SSL pinning:
Certificate Pinning: In this method, the entire SSL certificate is pinned. The application will only accept connections to servers that present this exact certificate. This method is straightforward but can lead to issues if the certificate expires or needs to be renewed, as the pinned certificate in the app must also be updated.
Public Key Pinning: Instead of pinning the entire certificate, this method pins the public key extracted from the certificate. Since the public key remains the same even if the certificate is renewed or reissued, public key pinning offers more flexibility and reduces the need for frequent updates to the app.
How to get SSL Certificate from Website 🤔
To implement SSL pinning effectively, you need to obtain the SSL certificate from the server you want to pin. There are two common methods to do this: extracting the certificate from a browser or generating using OpenSSL.
1. Extracting an SSL Certificate from a Browser
Most modern web browsers allow you to view and export SSL certificates from websites. Here’s how you can do it:
Using Google Chrome (or similar browsers like Firefox):
- Navigate to the website for which you want to obtain the SSL certificate.
- Click on the padlock icon in the address bar to view the site’s security information.
- Select “Certificate (Valid)” to open the certificate details.
- In the certificate window, go to the “Details” tab.
- Click on “Copy to File…” to start the certificate export wizard.
- Choose the “Base-64 encoded X.509 (.CER)” format and save the certificate file.
Using Firefox:
- Similar to Chrome, click on the padlock icon in the address bar and select “More Information”.
- Click on “View Certificate”.
- In the certificate viewer, navigate to the “Details” tab.
- Click on “Export…” and save the certificate in the desired format, usually PEM or DER.
2. Extracting SSL Certificate Using OpenSSL
In addition to extracting certificates from browsers, you can also use the openssl s_client command to directly retrieve an SSL certificate from a server. This method is particularly useful when you need to automate the certificate retrieval process or work from the command line.
The openssl s_client command allows you to connect to a remote server and fetch the SSL certificate being used. Here’s how you can use it:
Connect to the Server and Fetch the Certificate: Open a terminal and run the following command, replacing
yourserver.comwith the domain of the server you wish to connect to:1echo | openssl s_client -servername your-server.com -connect your-server.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > your-server.crtThis command initiates an SSL/TLS connection to the server on port 443 (the standard port for HTTPS).
Save the Certificate: After running the command, the terminal will display the server’s SSL certificate chain. The certificate you’re interested in will be enclosed between
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----.Copy the entire certificate block (including the
BEGINandENDlines) and save it to a file. For example, you can save it asserver_cert.pem:1 2 3echo "-----BEGIN CERTIFICATE----- MIID... (certificate content) -----END CERTIFICATE-----" > server_cert.pemVerify the Certificate (Optional): If you want to verify the details of the certificate, such as the subject, issuer, or expiration date, you can use the following command:
1openssl x509 -in server_cert.pem -text -nooutThis command outputs the full details of the certificate in human-readable format.
3. How to Get SSL Certificates Using SSL Labs
SSL Labs by Qualys is a popular online tool for analyzing the security of SSL/TLS certificates. It provides a detailed report on a website’s SSL implementation, including its certificate chain, vulnerabilities, and other security configurations. You can also use it to retrieve the SSL certificate of a server for SSL pinning.
Steps to Retrieve SSL Certificates from SSL Labs:
Visit SSL Labs:
- Go to the SSL Labs website: https://www.ssllabs.com/ssltest/.
Submit the Server’s Domain:
- In the input box labeled “Hostname,” enter the domain name of the server whose SSL certificate you want to retrieve (e.g.,
yourserver.com). - Click the “Submit” button to start the SSL test.
- In the input box labeled “Hostname,” enter the domain name of the server whose SSL certificate you want to retrieve (e.g.,
Wait for the Analysis:
- SSL Labs will begin analyzing the server’s SSL configuration. This process may take a few minutes, depending on the server’s setup and the current load on the SSL Labs platform.
View the Certificate Chain:
- Once the analysis is complete, scroll down to the “Certification Paths” section of the report.
- You will see a list of certificates provided by the server, including the end-entity certificate (the one you’re interested in for pinning) and any intermediate or root certificates.
Download the Certificate:
- Click on the link to view or download the certificate in PEM format. You can also view the certificate in text format to inspect its details, such as the issuer, expiration date, and subject.
Save the Certificate:
- Save the downloaded certificate to a file, such as
yourserver_cert.pem, for use in SSL pinning.
- Save the downloaded certificate to a file, such as
Challenges and Best Practices
While SSL pinning enhances security, it is not without its challenges. One of the main issues is managing certificate expiration. Certificates typically have a validity period, and when they expire, they need to be renewed. If the pinned certificate is not updated in the app, users may experience connectivity issues.
Challenges in Implementing SSL Pinning
Certificate Expiration: As mentioned, if a pinned certificate expires and is renewed, the app must be updated with the new certificate. This can be particularly challenging for mobile apps, where users may not update the app frequently.
Debugging: Implementing SSL pinning can make debugging more difficult, as any attempt to intercept and inspect network traffic will result in a failed connection. Developers need to be aware of this and may need to disable pinning during development and testing phases.
Best Practices
Flexible Pinning: To reduce the risk of connectivity issues, it is advisable to pin multiple certificates or public keys. This way, if the primary certificate expires or is compromised, the app can fall back on an alternative.
Fallback Mechanisms: Implementing a fallback mechanism that allows the app to retrieve updated certificates from a trusted source can help prevent issues caused by expired or changed certificates.
Regular Updates: Ensure that the app is regularly updated, and users are encouraged to install updates promptly. This is particularly important when SSL certificates are renewed or changed.
Security vs. User Experience: While SSL pinning is essential for security, it is also important to balance this with user experience. For example, consider providing informative error messages if a connection is blocked due to SSL pinning, so users understand why the app is not functioning as expected.
Conclusion
SSL pinning is a powerful technique that adds an extra layer of security to SSL connections, protecting against MITM attacks and ensuring that data is transmitted securely between clients and trusted servers. However, it is important to be aware of the challenges associated with implementing SSL pinning and to follow best practices to ensure a smooth and secure user experience.
By understanding how SSL pinning works and carefully implementing it in your applications, you can significantly enhance the security of your users’ data and protect your app from malicious attacks.