|
|
|
|
|
|
by synhare
2135 days ago
|
|
|
The number of times I've heard people in the tech community mention certificate pinning as a valuable security mechanism is like the amount of times I've heard about zombies, despite the fact that they just don't exist. I've worked on a team that reverse engineered and did security audits on a lot of commercial and consumer applications. We've seen cert pinning implemented correctly was maybe like once or twice a year by companies large enough to where their security team was larger than most software companies entire payroll. Basically, it's not a thing that exist because it is really hard to implement properly. The threat model for being MITM'ed with cert spoofing is pretty exotic. In the end, cert pinning means your application is not working if something goes wrong with the certs, which EVERYONE at some point forgets to renew, or, worse, you CA inadvertently gets hosed. |
|
|