Jump to content

Eset's Public Key Pinning Capability


Recommended Posts

-EDIT- Changed title since this is about public key pinning; not certificate pinning. Additionally modified originally posted text to reflect the same. Certificate pinning involves storing the "thumbprint" associated with the issuing root CA certificate for the web site off-line. Then when the web site is accessed via browser, the previously stored thumbprint is compared to the root CA certificate for the web site. Eset does not support certificate pinning.   

Some may not know or care for that matter about web site public key pinning. Overall it is an important protection against browser man-in-the-middle interception.

What the validation does is ensure that the public key for the web site your are accessing matches the known public key associated with the web site. The downside of this validation is the web site must support HPKP. Whereas both Firefox and Chrome both support the HPKP standard that enables the browser to support such lookup validation, IE11 does not. Additionally for any AV product that performs SSL protocol scanning such as Eset, it its imperative that it also perform such HPKP validation since the scanning process by definition breaks the browser HPKP validation.

There is a web site where you can test the above: https://projects.dm.id.lv/Public-Key-Pins_test . As shown below, Eset correctly shows via alert an invalid certificate pinning occurrence in IE11 which in all likelihood would be indictative of man-in-the-middle activity:


Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...