- The purpose of the server identification is to prevent a machine located between the browser and the webserver from intercepting the traffic in transit, pretending to be the server, and decrypting the information as it is passed along.
- This type of attack is known as a Man In The Middle (MITM) attack. SSL certificates are generated by certificate authorities: companies that verify a server’s identity and produce a certificate for a fee.
+ The purpose of the server identification is to prevent a machine located between the browser and the webserver from pretending to be the server and decrypting the information in transit.
+ This type of attack is known as a Man In The Middle (MITM) attack. SSL certificates are generated by certificate authorities: companies that verify a server’s identity and produce a certificate for a fee.
Android has a list of trusted certificate authorities, and will accept any of their certificates for any website.
It isn’t supposed to be possible for an organization to acquire an SSL certificate for a domain they do not control, but in practice many governments and large corporations have been able to do so.</p>
Android has a list of trusted certificate authorities, and will accept any of their certificates for any website.
It isn’t supposed to be possible for an organization to acquire an SSL certificate for a domain they do not control, but in practice many governments and large corporations have been able to do so.</p>
- <p>The purpose of SSL certificate pinning is to tell the browser that only one specific SSL certificate is to be trusted for a particular domain. Any other valid certificate will be rejected.</p>
+ <p>The purpose of SSL certificate pinning is to tell the browser that only one specific SSL certificate is to be trusted for a particular domain. Any other certificate, even if it is valid, will be rejected.</p>
<p><img class="center" src="images/ssl_certificate_mismatch.png"></p>
<p>SSL certificates expire on a specified date, so even pinned SSL certificates will legitimately need to be updated from time to time.
As a general rule, pinning SSL certificates probably isn’t needed in the majority of cases.
<p><img class="center" src="images/ssl_certificate_mismatch.png"></p>
<p>SSL certificates expire on a specified date, so even pinned SSL certificates will legitimately need to be updated from time to time.
As a general rule, pinning SSL certificates probably isn’t needed in the majority of cases.
- But for those connecting to their own servers, or for those who suspect that powerful organizations may be targeting them directly, SSL certificate pinning can detect and thwart a MITM attack.</p>
+ But for those who suspect that powerful organizations may be targeting them, SSL certificate pinning can detect and thwart a MITM attack.</p>