What is SSL pinning and why application developers use it?
The application developers use the SSL pinning technique as an additional security layer for application traffic, which can avoid man-in-the-middle attacks and further prevents attackers from analyzing the functionality of the app and the way it communicates with the server. SSL pinning enforces the client to only trust the valid or pre-defined server certificate or public key, which ensures that the user devices are communicating only to the dedicated trustful servers.
SSL pinning enforces the client to only trust the valid or pre-defined server certificate or public key, which ensures that the user devices are communicating only to the dedicated trustful servers
How does it work?
The developers embed (or pin) a list of trustful certificates to the client application during development and use them to compare against the server certificates during runtime. If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server.
There are usually two ways we can achieve SSL Pinning in client applications. Pin either the whole certificate or its hashed public key
When the applications (Mobile app/APIs/web app) having SSL pinning enabled, it is difficult for customers to introduce any security solutions/in-path devices, which work on reverse proxy technology because of SSL termination.
As soon as any reverse proxy solution has been introduced between client and server, the SSL handshake getting established between application clients and reverse proxy solution, and the client will receive the SSL certificate which is installed at the reverse proxy solution, due to which the client rejects the connection considering untrusted server connection.
The AppTrana cloud WAF will provide flexibility to configure the SSL settings, which can make customers SSL pinned applications fully compatible with AppTrana as below –