carl mehner's blog

Certificate Pinning

Today I created a webapp that allows for sysadmins and security savvy chrome users to add certificate pins to their sites and browser.

Give it a try over at https://certpins.appspot.com/.

Certificate pinning is a way to tell clients what cert or CA they should be seeing when they connect to your website. The tool builds upon the go implementation of cert pinning in the key-pinning draft.

Resources:
Current Draft Key Pinning
  http://tools.ietf.org/html/draft-ietf-websec-key-pinning
Adam Langley's Blog Post (where I first learned about pinning certs)
  https://www.imperialviolet.org/2011/05/04/pinning.html
Moxie's post about why you should use key pinning in your mobile apps.
  http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

The code is at github for review and collaboration.

EDIT:

I've called this certificate pinning even though the process is key pinning because the app that creates the key pins specifically only takes certificates to make the pins. Regardless of semantics, enjoy the app for creating key pins.