itman 1,662 Posted June 29, 2018 Share Posted June 29, 2018 (edited) -EDIT- Changed title since this is about public key pinning; not certificate pinning. Additionally modified originally posted text to reflect the same. Certificate pinning involves storing the "thumbprint" associated with the issuing root CA certificate for the web site off-line. Then when the web site is accessed via browser, the previously stored thumbprint is compared to the root CA certificate for the web site. Eset does not support certificate pinning. Some may not know or care for that matter about web site public key pinning. Overall it is an important protection against browser man-in-the-middle interception. What the validation does is ensure that the public key for the web site your are accessing matches the known public key associated with the web site. The downside of this validation is the web site must support HPKP. Whereas both Firefox and Chrome both support the HPKP standard that enables the browser to support such lookup validation, IE11 does not. Additionally for any AV product that performs SSL protocol scanning such as Eset, it its imperative that it also perform such HPKP validation since the scanning process by definition breaks the browser HPKP validation. There is a web site where you can test the above: https://projects.dm.id.lv/Public-Key-Pins_test . As shown below, Eset correctly shows via alert an invalid certificate pinning occurrence in IE11 which in all likelihood would be indictative of man-in-the-middle activity: Edited June 30, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts