Reputation: 6022
iOS Certificate Pinning and Amazon Certificate Manager
I can't find good information regarding certificate pinning in iOS and Amazon Certificate Manager.
They recommend you don't pin against an ACM certificate.
https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning
We recommend that your application not pin an ACM Certificate
The reason they don't recommend it is that:
To renew a certificate, ACM generates a new public-private key pair.
Instead, they recommend:
If you're using a public certificate, pin your application to all available Amazon root certificates.
I understand why not to pin to an ACM Certificate - because you will have to release updates with new certificates risking possible bricking of clients. You also can't pin against the public key because it will change.
What I don't understand is how pinning against only the root certificates is ok? Will it still prevent man in the middle attacks? How is this more secure?
Can someone explain it better?
Upvotes: 1
Views: 1201
Answers (1)
Reputation: 105
It would not be more secured to pin against the root certificate. I think what the Amazon documentation trying to recommend is a way that would not break your network connection in the case that when the certificate expires and renews.
Here's the quote from this website explaining the different kinds of certificate pinning: https://carvesystems.com/news/cert_pin/
Leaf Cert: A leaf cert is the top level cert in a certificate chain. Pinning a leaf certs brings us to almost complete certainty that the certificate matches. However, if you cycle your leaf certs often, updates need to roll out fairly frequently to make sure your customer’s app continues to work.
Intermediate Cert: The intermediate cert lives between the leaf and root cert. In this case, pinning against the intermediate cert, you’re putting your trust in the intermediate certificate authority. Therefore, you can update your server’s leaf cert more often, as the validation of certs occurs on the intermediate cert.
Root Cert: Finally, the root cert comes from the trusted certificate authority. Pinning the root cert alone puts trust in the root cert authority, as well as all intermediaries that the root cert authority trusts.
Hope this helps
Upvotes: 1
Related Questions
- iOS certificate pinning with Swift and NSURLSession
- SSL Pinning using AFNetworking in iOS not working
- ios13 tls certificates issue - connection error
- SSL Certificate with AWS Certificate Manager?
- Setting up TrustKit
- AWS SNS Weird Error
- Trouble with AWS SNS setup with IOS Push Notifications (Certificate type not supported)
- Public Key pinning with NSURLSession
- Certificate pinning in iOS
- SSL pinning a signed cert on iOS