What is certificate pinning?
Typically certificates are validated by checking the signature hierarchy; MyCert
is signed by IntermediateCert
which is signed by RootCert
, and RootCert is listed in my computer's "certificates to trust" store.
Certificate Pinning was where you ignore that whole thing, and say trust this certificate only or perhaps trust only certificates signed by this certificate, ignoring all the other root CAs that could otherwise be trust anchors. It was frequently also known as Key Pinning, since it was actually the public key hash that got saved.
But in practice, Key Pinning turned out to cause more problems than it solved. It was frequently misconfigured by site owners, plus in the event of a site compromise, attackers could maliciously pin a cert that the site owner didn't control. Key Pinning was deprecated in 2017, and was removed entirely from Chrome and Firefox in Nov. 2019. It was never supported to begin with by IE and Safari.
The recommended replacement is to use the Expect-CT header to tell browsers to require that the cert show up in Certificate Transparency logs.
It's ambiguous, but it refers to solutions for an issue in SSL certificate chain verification. Essentially, trust in SSL boils down to root certificates, the certificates your system trusts in to be genuine. Those either come with your OS or with your browser. If one of those is compromised, all certificates signed by this and transitively signed certificates are to be treated as compromised.
TACK or Public Key Pinning Extension (referred to as cert pinning by chrome, apparently) allows the admin of a server to "pin" a certificate authority's (CA) public key signature to a certificate, which is verified by the client (delivered via SSL extension). If the CA certificate's key is different upon retrieval of the certificate chain, the CA certificate is likely to be compromised. Source
Cert pinning can also refer to importing a host's certificate in your trust store, rather than trusting CA certificates. This mitigates the risk of a CA cert being compromised but forces you to update certificates if they expire manually. Source
SSL server certificates come from the X.509 world. The client verifies the validity of the server's certificate by validating a lot of cryptographic signatures from Certification Authorities. The beauty of the scheme is that it is stateless: a given server could change its certificate every five minutes, and it would still work with clients.
It has been argued that while supporting fast-revolving certificates is awesome but useless, because in practice a given server changes its certificate once per year; indeed, an early certificate switch is indicative of some ongoing fishy business. Certificate pinning is a way for a server to state that this should not happen under normal conditions, and that the client should raise a metaphorical eyebrow should an unexpected certificate switch occur. This is a protocol extension, suggested but not widely supported yet. Actually there seems to be several relatively similar, competing proposals.
See also Convergence, yet another protocol extension which can be thought of as "certificate pinning by trusted third parties". Convergence and the certificate pinning proposals all dance around the same core idea, which is to have some state in the client (or somewhere, at least), and trigger security warnings when certificates change too often or too early. Whether any of these proposals will ever reach wide acceptance (i.e. will be implemented in a compatible way by IE, Firefox, Chrome and Safari, and will be used by most SSL server sysadmins) is anyone's guess.