TLS certificate and public-key pinning

Certificate and public-key pinning reduces the risk of some types of man-in-the-middle (MITM) attacks.

Overview

In Web Public-Key Infrastructure (PKI), a TLS client trusts any server certificate issued by a trusted certificate authority (CA). There are many CAs (see Available trusted root certificates for Apple operating systems), and if the security of just one CA is compromised, then an attacker could forge server certificates for use in a man-in-the-middle (MITM) attack.

Certificate or public-key pinning describes a process by which TLS clients can reduce the risk of connecting to an imposter server by checking the server’s certificate chain for the presence of one or more expected ('pinned') certificates or public keys. This extra criterion reduces the number of CAs the client trusts as valid issuers of certificates for the server. For example, a bank that manages its own CA could implement certificate pinning to ensure that its StreamLink for iOS apps only trust server certificates that include the public key of the bank’s CA in their certificate chain.

For a detailed overview of certificate and public-key pinning, see Certificate and Public Key Pinning on the OWASP website.

Overriding TLS certificate validation in Apple iOS

To override certificate validation in StreamLink for iOS, pass an iOS SecTrustRef trust object to the SLStreamLink.setTrustManager method.

For more information on the SLStreamLink interface in StreamLink for iOS, see SLStreamlink.

For more information the SecTrustRef trust object in iOS, see Overriding TLS chain validation correctly on the Apple Developer website.