0

With a client side java application that interacts with the server over http, is it possible to handle certificate pinning strictly at the network layer? Meaning, if the certificate is pinned on a load balancer that handles the connection between the client application and server.

This article sounds like it only applies to browsers and not a custom app. https://clouddocs.f5.com/training/community/irules/html/class2/module1/lab5.html#hpkp

To my understanding (based on some of the below links) this is something that has to be done through the application and can't be done at the network level only. But thought I would pose the question here to confirm since I feel like I may still be missing something.

https://medium.com/@zhangqichuan/explain-ssl-pinning-with-simple-codes-eaee95b70507 https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning https://www.synopsys.com/blogs/software-security/ineffective-certificate-pinning-implementations/ Understanding Certificate Pinning

account123
  • 11

1 Answers1

1

TLS is not a network protocol. There is nothing for the network to "pin to" as it were.

Check for certificates is done by the application, so it must be handled by an application.

Pinning can absolutely be implemented in a custom app, though. You just include the same function as a browser would.

OWASP has some general guidance.

schroeder
  • 125,553
  • 55
  • 289
  • 326