Cloudflare reports customer incidents over the past six months. Customers informed Cloudflare that there were issues with the system due to a change in certificates for certificate pinning, which caused clients to reject certificates even if they were issued correctly.
Certificate pinning has been a popular technique among banks that often lock root CA or intermediate CA to prevent clients from accepting certificates identified with the correct domain but issued by another CA. This technique has helped prevent cases where the root CA was hacked, like DigiNotar in 2012.
Cloudflare states that in the last 20 years, the landscape of certificate issuance has evolved significantly, and users have better alternatives than certificate pinning. For example, daily certificate issuance checks are now enforced to be published through Certification Transparency Logs (CT logs), or organizations can block other root CAs from issuing certificates by locking the CAA record of the DNS.
Last year, Let’s Encrypt began rotating intermediate CAs to reduce the reliance on certificate pinning. Moving forward, more frequent changes in intermediate CAs will occur. If organizations do not lock intermediate CAs, the impact of data leaks due to CA changes will be minimized.
The incidents of system failures resulting from certificate pinning at Cloudflare are increasing, especially in the third quarter. While these incidents may not be widespread, organizations using this approach are often widely impactful applications like banking apps.
TLDR: Cloudflare addresses customer incidents related to certificate pinning, highlighting the shifting landscape of certificate issuance and the need to adapt to newer, more secure alternatives.
Leave a Comment