HTTPS Pinning

Richard Stanway r1ch+nginx at teamliquid.net
Fri Jun 7 13:45:08 UTC 2019


In the context of a mobile app, pinning usually means checking the public
key of the server in your app matches what is expected. There is nothing to
configure server-side. If you change the private key used by your SSL
certificate, then your app will break. Renewing an SSL certificate doesn't
usually change the private key, but check your renewal process to be sure.

I would also suggest adding several backup public key hashes in the app in
the event that you need to rotate your private key so you can do this
without having to wait for an app store update.

That said, pinning offers little benefit, as if your app is already
verifying the certificate the most this protects you from is a root cert
MITM, eg from a corporate network SSL interception product, which is quite
rare.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190607/c2d259f4/attachment.html>


More information about the nginx mailing list