[jsmith12673]

You create a Root Self Signed Certificate, and then deploy leaf certs signed by that root to your API.

Then deploy your client apps with the certificate of your self signed root.

Assuming that your root is safe, no attacker will be able to generate a cert that will be accepted by your client.

[kayson]

That doesn't make sense to me, sorry. Got an article or something?

[castillar76]

The confusion here might be around the term "self-signed". Technically, all roots are self-signed—that's the definition of a root CA!—but in this case the user just means "self-signed" as in "signed by me, not signed by some commercial third party". "Self-signed certificates", though, usually refer to certificates with no PKI chain: the device created a single certificate, signed it with its own key, and then just distributes it to create trust without the usual hierarchy of a PKI.

The attack on that latter system is that you as the client have no basis on which to trust that cert when its first presented. So an attacker who can intercept that first presentation of the certificate and replace it can MITM the traffic flow without you knowing. Worse, most devs "fix" that initial trust problem by telling the client not to validate the cert when its presented (because they wouldn't have any basis for doing that anyway), so an attacker is free to inject their own cert into the traffic at any time.

Using an actual private PKI hierarchy helps fix this: you create a root, and get your clients to trust only that root. Now you can issue your own certs, and an attacker can't MITM the traffic unless they can get their own cert from your CA. That's the same model as is used with commercial CAs: you're just operating the root of the chain yourself instead of paying someone else to do it.

[kayson]

But isn't this exactly why certificate pinning is needed... Sure I can roll my own PKI and install the Root CA on the client devices, but they can still intercept their own traffic by installing their own trusted Root CA.

[jsmith12673]

If the TLS client isn't a webbrowser, it doesn't have to use the list of trusted roots provided by the underlying system (be it OS or browser).

Certificate Pinning is the solution you'd look to if you have a clients that cannot securely ship with root certificates/cannot pick the root certificates they will use to validate a certificate when initiating a TLS connection.

Edit: I should add that I am not a mobile developer, so I don't actually know if the 'bring your own root CA' method is supported by the corresponding TLS libraries. But I know that this is possible 'in general'

[castillar76]

I missed the parenthetical on your comment, my apologies. You're right: if you can monkey around with things enough to SSL-proxy the traffic, then rolling your own PKI will not help prevent that. What will help prevent that, yes, is pinning, but my argument above was that pinning to any single CA (or worse, any single leaf certificate) without a mechanism for replacement is what gets people into trouble. Selecting a small set of trusted CAs is a much stronger pattern, and would preserve the inability of clients to swap out their own certs or proxy their own traffic (although it may also break things—Google had to bend on that one a bit to allow for enterprise SSL decryption, e.g.).

[dcow]

Not entirely accurate. Your client software builds a TLS client with your sole private trusted root. Nobody can MITM with a self signed cert unless they can reverse your client (or system) enough to hook the TLS stack, which there are numerous tools out there to do which is also why (but also irrespective of the fact) IMHO the "zomg we must prevent the user from seeing _their_ traffic" is a totally bogus pursuit. However, if you're dead set on thwarting some subset of the script kiddies, then mTLS is your friend because it's a real solution to the "I want to authenticate my client (perhaps because only it should see the traffic)" problem.

[dcow]

Because you control the client software so you just make a TLS client that has only your root trust anchor. This is exactly the same as CA/pubkey pinning from a threat model perspective.

[swixmix]

OpenBSD does something like this. In the current release, they provide the public keys for the next release. After trust-on-first-use it's a never-ending cycle.

I call it trust-on-first-use because I didn't verify the initial signatures. Hmmm..

[jsmith12673]

Don't have an article on hand :/ just something that I've played around over with over time.

Which part is confusing? Maybe I can try to clarify/give examples where helpful.

[kayson]

I think you're maybe talking about an adversarial MITM. I'm talking about someone trying to reverse engineer your API by intercepting their own traffic