Server Public Key Pinning in Go

Why Pin Public Keys?

Zaki Manian
Jan 12, 2015 · 1 min read

Public Key pinning allows users to detect a class of attack where a Man In The Middle possesses a valid CA signed certificate different from the genuine certificate from the server operators. There a variety of less than trustworthy CA’s from CA issuing fraudulent certificates on government and corporate networks to GoGo Inflight Internet issuing fraudulent certificates for YouTube.

An application developer might also want to protect the confidentiality of their private API. Pinning the Public Keys of application server can provide defense against user installed certificates allowing proxying and inspection of encrypted traffic. Some applications design their key pins to allow user added CA’s to override the application pin.

Example Code: Connect to Google with a pinned key

Zaki Manian

Written by

Executive Director of the Trusted IoT Alliance and Board member of Restore the 4th.