SSL Pinning Vs Certificate Transparency

910 views
Skip to first unread message

gaurav wadhwa

unread,
Jun 11, 2023, 4:24:39 AM6/11/23
to certificate-transparency
Hi Team

Hope you all are doing good !! 

Considering certain drawbacks of SSL Pinning (continuity of the app), would like to understand following: 
  1.  If organisation can consider replacing SSL Pinning with Certificate transparency itself on Android / iOS app
  2. If yes, would like to understand if it provides similar level of protection to the app
  3. Is there any disadvantage of doing Certificate transparency over SSL pinning
  4. If you know any organizations who are moving to certificate transparency over SSL Pinning of mobile app

Regards, 
Gaurav

Bas Westerbaan

unread,
Jun 11, 2023, 9:38:12 AM6/11/23
to certificate-...@googlegroups.com
Pinning and CT serve two different purposes, and it's a bit weird to compare them as security measures.

CT does not directly prevent misissuance: it only helps to to detect it if it happens. You can read more here: https://certificate.transparency.dev/

If you control both sides and can pin a leaf or (intermediate) CA, that's a strictly better measure, as it actually directly prevents certain bad situations.

Best,

 Bas







--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/93b14c0e-ca25-479d-a422-c8114a4ce60bn%40googlegroups.com.

Asaf David

unread,
Sep 9, 2024, 10:48:29 AM9/9/24
to certificate-transparency
The problem with certificate pinning is that certificates are always temporary and when they are rotated the pinning will stop working, unless you create the new certificate with the same key which is not a good practice.
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

Bas Westerbaan

unread,
Sep 11, 2024, 7:44:04 AM9/11/24
to certificate-...@googlegroups.com
Agreed. Certificate pinning is bad for the ecosystem as a whole, and checking CT is a good alternative.


To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/f2c25973-12a7-423f-aeb4-628ce57bc889n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages