Comment by Nextgrid
2 years ago
How would you do certificate pinning if you don't control the clients?
My understanding is that certificate pinning is only possible if you control the clients, in which case you can embed which certificates are allowed directly in the client and bypass the whole web PKI.
In a situation with general-purpose clients connecting, how would they know which certificates are meant to be allowed? That's what the web PKI is used for.
Of course, if you do provide your own clients, this just moves the problem further up the chain - in this case the place where customers would download the custom client software would be compromised and a malicious client served instead.
> How would you do certificate pinning if you don't control the clients?
Well you cannot. If you were paranoid, you would perhaps supply a hash through some out-of-band mechanism, which would require manually updating for each new cert.
Obviously most people wouldn't ever want to do that.
Isn't this what those "key hash pictures" in WhatsApp/Signal are solving?
XMPP clients could implement such a mechanism, and if any certificate/domain along the path changes, the users in a conversation would be notified.
These are usually to validate the keys used in end-to-end encryption. Both parties must confirm that they see the same details, which confirms that the same keys are being used on both ends.
TLS client certificates.
Use them.
Stop using domains. Stop.
And how do you distribute those to anonymous users?