0

I have hosted an api on an AWS Windows server, imported ssl certificates from a known CA, and made https mandatory. Then built a client app that is an executable, then pinned the public key hash for all requests from this app to the server. All communications will be encrypted, and the server will only accept requests from this particular app, and not from browsers.

Now I find something like these studies which severely critic the capability and safety of HPKP: https://scotthelme.co.uk/im-giving-up-on-hpkp/ https://www.smashingmagazine.com/2016/10/be-afraid-of-public-key-pinning/?ref=scotthelme.co.uk

The Mozilla:// site (and elsewhere) also describes Certificate Pinning as an obsolete method..

Based on this I have three questions.

Firstly, I dont understand that while Pinning itself might be obsolete but is it still part of a good ensemble, especially in my case? I looked around for this and did not find anything convincing on this topic and any alternatives (except TACK ?), and am looking for guidance.

Secondly, for the problem of Key distribution, which I have guessed would be better if not done over the network, but only included with every update of the app. How about it?

And thirdly, for scaling up, when I would require more servers for load balancing client requests, how should that determine whether or not Pinning is worth it?

I have also got some clarity from the following but not much: Certificate pinning and the key distribution problem HPKP-based persistent denial-of-service attack on web sites

Improve this question

1 Answer 1

Reset to default
2

I don't understand that while Pinning itself might be obsolete ...

It is not. The sources you cite are only about HPKP, which is a very specific type of pinning where the negative impact of doing it wrong (by accident or when the site is temporarily compromised) outweighs the gain for many sites.

Certificate pinning is still used by browsers when these problems can be mastered - for example there are still preloaded pinned sites in major browsers like Chrome and Firefox.

In your specific case you control both server and client. Here the problems associated with HPKP should not affect you, since you could cause the client to update if new pins are needed.

... the problem of Key distribution, which I have guessed would be better if not done over the network, but only included with every update of the app. How about it?

Including it in the app is fine as long as you can control updates to the app. Browsers do it the same way with the preloaded pins.

... when I would require more servers for load balancing client requests, how should that determine whether or not Pinning is worth it?

First, servers might use the same certificate. They might also use different certificates with same keys - so you could pin to the key. Both has problems since the private key gets more exposed this way. But servers might also use different certificates and keys but you might pin to a specific CA which you set to be the only one allowed to issue the certificates. And of course your app might contains multiple pins to so that each server could have its own key. Or, you could statically pin only to a single well-protected server and get dynamically load in your app from this server all the pins for the currently active servers. Or have a signed list of such pins where you can verify the signature in your app.

As for pinning being worth with multiple servers: the risk you are trying to mitigate with pinning does not get smaller just because you get more servers. It might even get larger since using more servers probably means that the app got more important and this also means being a more attractive target for hacking.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.