0

I know that if i used HTTPS the connection will established after the handshake so (the user will ping the the link then the server will give him public key so the client can provide him with encrypted data only the sever can de-crypt because only the sever have the secret key)

now my question is why we use the ssl pinning and for example we impended the certificate into an application. ( i know that with with ssl pinning any hacker can't perform man in the middle attack and intercept the data but my question is where is the point of that)

in other word if I didn't do SSL pinning the attacker could intercept the data but with me using HTTPS the comunication with be encrypted and the attacker can gain nothing.

seraj sherif
  • 1
  • *"... the user will ping the the link then the server will give him public key so the client can provide him with encrypted data only the sever can de-crypt because only the sever have the secret key ..." - No. Absolutely wrong. See [How does SSL/TLS work?](https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work). – Steffen Ullrich Aug 11 '20 at 10:17
  • *" ... if I didn't do SSL pinning the attacker could intercept the data ..."* - also wrong. This is only true if the attackers certificate is trusted by the client, which it should not. – Steffen Ullrich Aug 11 '20 at 10:19
  • 1
    To pull-off a MITM attack, the attacker must present his own certificate (which is different than the server's certificate), and dupe the client into trusting that certificate. This is what SSL-pinning aims to prevent. The client 'remembers' the server's certificate, so it recognizes that the certificate presented in by the MITM is different. – mti2935 Aug 11 '20 at 10:23

0 Answers0