TLS/SSL Certificate Pinning Explained

Поделиться
HTML-код
  • Опубликовано: 26 янв 2025
  • НаукаНаука

Комментарии • 55

  • @mkc0321
    @mkc0321 3 года назад +24

    i cracked my interview with this explanation..thanks a lot

    • @hnasr
      @hnasr  3 года назад

      👏👏

    • @joelewis9137
      @joelewis9137 3 года назад

      You all prolly dont give a shit but does anyone know a method to get back into an instagram account?
      I stupidly forgot my password. I would appreciate any help you can offer me.

  • @Cutecontentsforyou
    @Cutecontentsforyou 11 месяцев назад +2

    Why are you explaining it so long.. it’s actually very simple

  • @jeromemacaspac2792
    @jeromemacaspac2792 6 месяцев назад +1

    Hey this video is 4 years ago but still the same and great explanation I am looking for. For anyone having a confusion about the certificate pinning of crowdstrike, this is exactly how it happens.

  • @asifahmedsourav6355
    @asifahmedsourav6355 3 года назад

    Easy and helpful. Thanks a ton, Hussein Sir. Learning these types of things never been that easy.

  • @Drunkenhead
    @Drunkenhead 4 года назад +4

    Hi Hussein, nice explanation. But as you mentioned there may be a dynamic set of domains. Is there an alternative for this situation? There is an approach called Certificate Transparency - CT, could you make a video about that?

  • @ch94086
    @ch94086 4 года назад +2

    Hi Hussein! Maybe you can do a follow-up on public key pinning and certificate transparency. Seems like most certificate pinning libraries set a hash of the Subject Public Key Info. (It wasn't clear to me if the CA key is pinned sometimes.) While watching your video I was going to comment on pinning a certificate that expires in a month, but you mentioned it. Pinning the key hash solves that. I guess some apps have some side channel to update the pinned key hashes.

    • @hnasr
      @hnasr  4 года назад

      Carl Hage thanks Carl! Yes I think there are multiple ways of tackling this. Pinning the hash of the public key seems to be the least disruptive..

  • @ismailayoub3139
    @ismailayoub3139 3 года назад +2

    Great explanation as always man

  • @alevsk
    @alevsk 2 года назад

    In the case of DNS poisoning, the malicious websites can still serve the public key certificate from the original website (because is public) but you still need to have the private key to decrypt the traffic, so how it’s gonna work?
    You either hack the original server and steal the private key from there or you have to trick a certificate authority so they issue you a new valid key pair certificate trusted by the clients, on both cases there’s no need for dns poisonings at this point. Is there something in missing?

  • @raghuvallikkat3384
    @raghuvallikkat3384 4 года назад +4

    thank you for accommodating the request

  • @rishiprotimbose6167
    @rishiprotimbose6167 4 года назад +1

    Hussein you are the saviour man... I was trying to explore on this. Wasted few days to understand. But your explanation cleared my every single doubt ... 😂

    • @hnasr
      @hnasr  4 года назад +1

      ❤️❤️

  • @MasterSergius
    @MasterSergius 2 года назад

    Thank you, now I completely understood it

  • @thiruvenkatakrishnan4242
    @thiruvenkatakrishnan4242 Год назад

    Great and clear explanation! Thank you

  • @MrVipulLal
    @MrVipulLal 2 года назад

    Short and sweet. Thanks

  • @abdulmoizsheikh8031
    @abdulmoizsheikh8031 4 года назад

    Hi, I didn't quite get what you meant by recompiling the source after adding an entry of the certificate hash. I assume you mean adding/removing key value pairs in the store?

  • @sergeymohov2699
    @sergeymohov2699 4 года назад +1

    Hussein, you are great.

  • @godfirstamaka4185
    @godfirstamaka4185 Год назад

    😂😂😂.. I love ur content and how funny you are

  • @thechirpy_wanderer
    @thechirpy_wanderer 3 года назад

    Hi, Thanks for explaining...is there any way of doing the SSL pinning using which we can make changes in server-side only without making any changes in the app..so that we don't need to release the app with the new certificate on the store when the certificate is expired?

  • @heetdhuvad9984
    @heetdhuvad9984 11 месяцев назад

    Cloudflare ssl gets renewed after 3 months, so every 3 months i need to get updated the apk with new hash, does it has any solution

  • @techmarinar
    @techmarinar 3 года назад

    Thanx man this was very helpful to me ☺️☺️

  • @lusrinu
    @lusrinu 4 года назад +1

    super video. when did tls pinning become popular for authentication between servers?

  • @mikexue5104
    @mikexue5104 4 года назад +1

    what if at the very first time of client SSL/TLS session to server, there is a man-in-the-middle who pretend to be the server? will the client be cheated?

    • @abdulmoizsheikh8031
      @abdulmoizsheikh8031 4 года назад

      I think that might only happen in the extreme case of dns poisoning. Otherwise, your browser will catch if the digital signature sent from the server is valid or not.

  • @d36247
    @d36247 Год назад

    thanks, nice and clear explanation

  • @cyberrado
    @cyberrado 9 месяцев назад

    I truly love your explainantion. but somehow i feel lalo salamanca is talking :D

  • @lusrinu
    @lusrinu 4 года назад +1

    a request - can you do a video on history of security techniques (tls / kubernetes / openssl) with options applicable for different type of projects e-commerce / bank/mobile app etc

    • @lusrinu
      @lusrinu 4 года назад

      basically wanted to have a primer of history of security techniques and current landscape

  • @nitinneo7
    @nitinneo7 3 года назад

    Hi Hussein, for mobile applications which have a specific endpoint(domain) to connect to, it is clear that ssl pinning would have the request secure. Is there any way that the request is seen by man in the middle and if so, could they get the details of the pinned certificate?

    • @syth-1
      @syth-1 2 года назад

      A man in the middle won't see the content of the traffic, heck it will fail at the handshake as the client will reject the certificate it tries to spoof. You can make an educated guess as to why it failed (aka the application uses cert pinning) - the only thing you will see is the URL/ domain it tried connecting to
      On android it puts you into a full lockdown as soon as you connect to a man in the middle router, atleast on android 12 (gives notification saying connection functionality is limited or something)

  • @gauthamr906
    @gauthamr906 4 года назад

    Wouldn't the client verify the domain in the shady certificate it received back and reject if it s not the same as the one requested?

    • @hnasr
      @hnasr  4 года назад +2

      Gautham R the shady certificate will have the same domain requested by the client its just signed by a shady CA

    • @gauthamr906
      @gauthamr906 4 года назад

      Hussein Nasser Thanks a lot. That makes sense.

  • @s8x.
    @s8x. 4 месяца назад

    so this happens on the front end javascript? can’t someone change the javascript?

  • @verryondrums
    @verryondrums 4 года назад

    This was a great great great explanation!

    • @hnasr
      @hnasr  4 года назад

      Glad you enjoyed it!

  • @pranaychoudhary3253
    @pranaychoudhary3253 3 года назад

    great video! I have one question though - what happens when the pinned certificate expires?

    • @nitinneo7
      @nitinneo7 3 года назад

      Great question! Let's take the example of the mobile application connecting to known domain servers as pointed in the video at the end. So, the android developer has the option of pinning the low level domain cert which might have validity of one year or the CA one which might have a validity of 3-5 years. Let's say they pin the domain certificate which has 1 yr validity. Now, before the cert expires, at the mobile end, they shall chain the old cert and new cert and provide an update to the application. This way, when the server undergoes the cert change there would not be any bad experience for the customer using the mobile application. The problem would only appear if the automatic updates are turned off. Also, usually this is controlled by minimum version support of the application, which would thereby mandate the user to update the application to use it further.

  • @godfirstamaka4185
    @godfirstamaka4185 Год назад

    And I ended up subscribing too

  • @LtW00dy
    @LtW00dy Год назад

    great explanation, but considered a bad practice these days. If certificates need to be updated because it was spoofed, expired or simply needs rotation which is mandatory for compliance with regulations, this can't be done with the agility that is necessary. Also, important to say that HPKP is now deprecated.

  • @ruhankhandakar
    @ruhankhandakar 4 года назад

    awesome.. tnx

  • @jayseb
    @jayseb Год назад

    Good video, but these days, an attacker can't just serve you a "shady" cert. You (the user) will need to accept the "injected" cert/root and then import it and go on with the app flow... If users simply accept an injected cert and authority, we have all failed. But yeah, it's technically possible, but not without the acceptance -> just like when using Burp on your local machine to proxy the flow. Your browser won't simply enable comms, the certs and root have to be injected. Cheers.

  • @douaasu3931
    @douaasu3931 3 года назад

    Thank you

  • @ca7986
    @ca7986 4 года назад

    ❤️

  • @cstlabs1772
    @cstlabs1772 2 года назад

    Fail ..haiinn,

  • @moosegoose1282
    @moosegoose1282 4 года назад

    The Indian tutorial told me ssl pinning means “uh er uh uh” holy fuck thank u

  • @murradkhalil1429
    @murradkhalil1429 3 года назад

    hhhhhhh, "my pins are the worse"