Sierraware Blog

Exposing Security Black Holes Created by Certificate Pinning

certificate_pinningIn just under two weeks, Sierraware’s CEO, Gopal Jayaraman, will discuss risks introduced by certificate pinning at BSides San Francisco. Gopal’s session, at 10:00 A.M. on April 19th, gives you an important reason to wake up early on Sunday. If you are coming into San Francisco to attend RSA Conference 2015, be sure to attend. During his session, Gopal will explain why developers are implementing certificate pinning in their apps. He will describe how certificate pinning works and how it creates security black holes in corporate defenses.
The Chain of Trust Can’t Be Trusted
Today, cybercriminals and even governments can easily exploit the certificate trust model. Malware can install fake root CA certificates on devices, certificate authorities (CAs) can issue fake certificates on behalf of nefarious organizations, and hardware manufacturers can add forged certificates to laptops. Recent news headlines illustrate that these dangers are real. For example, on March 20th, Google  discovered that fake certificates had been issued for several Google domains. Unfortunately for Google, this is not the first time third parties had issued certificates without Google’s permission.
App Developers Are Fighting Back
To verify the identity of app servers, an increasing number of app developers are implementing certificate pinning. Certificate pinning prevents Man in the Middle (MitM) attacks and fraud due to fake certificates; with certificate pinning, an application checks that the server certificate matches the cert or hash “pinned” to the app. Today’s most popular mobile apps—including Facebook, Twitter, Dropbox and many more—use certificate pinning.
Certificate Pinning Reduces Security Visibility
While certificate pinning improves user privacy, it also creates a gap in corporate defenses. This is because security solutions like firewalls cannot decrypt pinned SSL traffic.  Almost every type of network security product, including intrusion prevention, data loss prevention (DLP), forensics, and advanced threat protection (ATP) platforms cannot detect threats hidden in pinned traffic; certificate pinning creates a black hole in organizations’ defenses.

Sierraware’s session at BSidesSF will explain the threats imposed by certificate pinning. Attend the session to learn creative strategies that can help IT Security teams regain visibility into all traffic, including traffic encrypted with certificate pinning.

Session Details

What:Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration

When: Sunday, April 19, 2015 at 10:00 A.M.

Where: Security BSides San Francisco at the OpenDNS office, 135 Bluxome St. San Francisco, CA 94107

Attend our session and let us know what you think.

On an unrelated note, go Duke in the NCAA finals!