What is Certificate Pinning?
A security technique where an application only accepts specific TLS certificates for a given server, preventing man-in-the-middle attacks using forged certificates.
Certificate pinning hardcodes expected certificate information into an application, so even a compromised CA can't forge a trusted certificate.
How It Works
- The app stores the expected certificate's public key hash
- During TLS connection, the server's certificate is checked against the pin
- If it doesn't match, the connection is refused
- Even a valid CA-signed certificate will be rejected if it doesn't match the pin
Where It's Used
- Mobile banking apps
- Messaging apps (Signal)
- High-security web applications
Limitations
- Makes certificate rotation complex
- Can lock users out if pinning is misconfigured
- Being phased out in browsers in favor of Certificate Transparency
- Still valuable in mobile apps where the developer controls both ends
Related Terms
Certificate Authority
An organization trusted to issue digital certificates that verify the identity of websites, enabling HTTPS encrypted connections.
Man-in-the-Middle Attack
An attack where the adversary secretly intercepts and potentially alters communications between two parties who believe they're communicating directly with each other. MITM attacks can capture credentials, inject malware, or modify data.
TLS
Transport Layer Security is a cryptographic protocol designed to provide secure communication over a computer network. TLS encrypts the connection between your browser and web servers, ensuring privacy and data integrity. It's the technology behind HTTPS.
Have more questions?
Use our guided flow to get the right next privacy step for Certificate Pinning.
Open Guided Flow