What is meant by certificate pinning?
I'm superficially familiar with SSL and what certs do. But recently I saw some discussion on cert pinning but there wasn't any definition of certificate pinning mentioned. A DDG search didn't turn up anything useful. What is certificate pinning?
Typically certificates are validated by checking the signature hierarchy; MyCert is signed by IntermediateCert which is signed by RootCert, and RootCert is listed in my computer's "certificates to trust" store. Certificate Pinning was where you ignore that whole thing, and say trust this certificate only or perhaps trust only certificates signed by this certificate, ignoring all the other root CAs that could otherwise be trust anchors. It was frequently also known as Key Pinning since it was actually the public key hash that got saved. But in practice, Key Pinning turned out to cause more problems than it solved. It was frequently misconfigured by site owners. Moreover, in the event of a site compromise, attackers could maliciously pin a cert that the site owner didn't control. Key Pinning was deprecated in 2017 and was removed entirely from Chrome and Firefox in Nov. 2019. It was never supported to begin with by IE and Safari.
What can go wrong with Certificate Pinning?
Pinning, especially with HPKP, was extremely risky and error-prone. If you configured your pinning settings incorrectly, you could block access to your own website or break connectivity in your application, with limited options for recourse. Here are just a few ways pinning can cause such harm.