Avoiding downtime: modern alternatives to outdated certificate pinning practices

Surprisingly low quality article from Cloudflare.

None of the solutions offered address the risk that pinning tries to mitigate, namely that you have a client who trusts a misbehaving/rogue/malicious CA (perhaps you installed a VPN or AV or something that added a system-wide CA to your machine?) and their connection to your service gets mitm-d.

Shorter certificate lifetimes - does nothing to mitigate that risk.

CAA records - not checked by client, only ensures that if a malicious actor somehow gets a hold of your domain, they need to use a particular CA to issue their publicly-trusted malicious cert.

CT monitoring - yes, for WebPKI certs, but does not protect against the risk above, as the bad CA-s are likely not sending certs to CT log.

Distributed DCV checks - sure, this is something CA-s should be doing, not something you have control over.

ACME URI in CAA - operational issues quite likely, good if you can pull it off, but again, does not address the risk above.

What is an actual alternative to cert pinning? Your API should have an additional layer of encryption with keys that you have full control over.

If you pin it, you may as well use self signed cert, with whatever expiration date you want. It has nothing to do with what browsers or popular CAs do - you may be the CA in this case. Not saying this is a good idea, just that it's the same idea as before (vide their "why now" argument and shortening rotation times).

Is pinning to certs signed by CAs you don't control, but that are public and trusted, beneficial over using self signed ones? I guess you won't (easily) land in CT log. Anything else?

The article mentions certificate pinning is used to prevent MITM attacks, but none of the alternatives listed actually prevent this class of attacks.

I’ve heard multiple times that “certificate pinning is obsolete.” Who is pushing this narrative?

How I'd like to replace certificate pinning:

* The client requests additional certificate chains

* The server returns multiple certificate chains (typically two), one chaining to a public CA, once chaining to a private CA

* The connection only succeeds if all expected chains are present and valid

* The public-key of the leaf certificates must be identical

This means:

* The public chain can follow standard practices around certificate transparency, renewal, revocation, expiration, etc.

* Clients which don't care about pinning but expect a standard public chain will work

* The chain to the private CA protects against a compromised public CA for clients which request/validate it

* Requiring identical public-keys means that this only impacts chain validation, not the key-exchange

I have a question. How does the client learn about certificate update?

I understand the "leaf" or "domain" update is done when the request is made, and that I as the end user don't need to do anything.

However if an intermediate certificate is updated, do I now need to update the app or client (OS/browser etc)?

Because I can sure see it in Google's interest to ensure clients only use the latest browsers, OS'. I suppose it becomes another "control" point.

If your client cannot resolve a domain (outdated hardware/software) you're out of luck.

If Google pushes changes to, for example, data collection within Chrome, they're going to want all users to update ASAP (e.g manifest V3, break older versions of chrome by rotating certificates).

I've dealt with cert pinning in the past, and the most frustrating part was invisible pins - any client can pin your certificate in their code, without ever having told you about it. If you run a large enough API over TLS, always assume that some random client will have pinned your certificate at their end. The only way to deal with it is to setup fast rotating certs, so these enterprise clients just give up, but that might not always be possible

We ended up doing slow brown-outs over a long time period to deal with it.

I got Certificate Transparency notifications for a domain of a relatively small company for a while. After you setup custom domains for a few SaaS products, and have a few hosting providers issuing short lived certs, you’re getting notifications fairly regularly. The notifications don’t really come with enough information for you have to any idea if the certs are being issued by trusted parties.

At a large company I have to imagine that monitoring them would just end up being noise.

> However, what we’ve learned is that almost all customers that were impacted by the change were unaware that they had a certificate pin in place.

All that lengthy blog post and no explanation of what configuration is causing this and in what kinds of software. And how to find certificate pins in your infrastructure.

Anyone know?

This is a super disappointing read coming from cloudflare. Even if I didn't disagree with the author about who exactly 'caused' these outages (I'm not blaming the users for the breaking change). I have to disagree with the suggestions. If the goal is availability; why is automation and constant cert and key rotation preferred? It's better to have to get it right every single time, over getting it right once? That's a wild take. I guess it's the behavior and recommendation I should expect from cloudflare, they are after all looking to sell, what's effectively a maintenance contract in concert with their expertise. But if I was gonna buy cloudflare, it would be for their expertise. They're industry leading for a reason. They used to be right.

So I guess it's disappointing not only that they're wrong here in this article, but it's also disappointing they'd sell off some of their credibility earned by their expertise to trick people into an implementation with a much larger maintenance cost.

Anyone have any alternatives to cloudflare, is there anyone who still values correctness over making money?

cloudflare continues to destroy the free web, this time around they are gaslighting you into thinking that an extremely important security feature, that happens to break cloudflare mitm is actually useless and outdated and there's all kinds of solutions, that incidentally all rely on trusting cloudflare, that you should be using instead.

Can we please just take X.509 out and shoot it?