6 comments

[ 3.4 ms ] story [ 22.4 ms ] thread
In a world of growing cyber threats, securing your app’s communication is critical. Learn how to implement Certificate Pinning in Swift with URLSession in order to protect your iOS or macOS apps from man-in-the-middle attacks and keep user data safe.
Do other softwares support specifying a CA bundle per domain or cert pinning?

Should FIPS specify a more limited CA cert bundle and/or cert pinning that users manage?

When the user approves a self-signed cert in the browser, isn't that cert pinning but without PKI risks and assurances?

What about CRL and OCSP; over what channel do they retrieve the cert revocation list; and can CT Certificate Transparency on a blockchain to the browser do better at [pinned] cert revocation?

This means I will need to update the app when the certificate changes on the server, i.e. it has expired and needs to be renewed.
Exactly, and you make it more difficult to rotate certificates when you suspect compromise, which is an important security feature.
Do not pin to publicly-trusted certificates. It is a bad, bad idea. The roots, CAs and even the keys you might pin to are not within your control and can change with little or no notice. Certificate lifetimes are being driven down, too. Don’t do this.