<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
Typically [Certificates] are [validated by checking the signature hierarchy|Certificate Validation].


When you don't know in advance to which hosts the [user-agent] might be connecting, checking [hostname] match and [Chain of trust] is the best you can do. 

In many [Native applications], though, you know your hosts in advance. This enables a higher [Level Of Assurance]: You can make sure that it is your [certificate] that the [server] has presented. This is known as SSL pinning or [{$pagename}]. 

[{$pagename}] offers a Higher [Level Of Assurance] against [Man-In-The-Middle] [attacker], perhaps perpetrated using a [Compromised Certificate], or via [Social Engineering Attack] (&quot;Free [Wi-Fi]! Just add this root cert to your device!&quot;).

[{$pagename}] is where you ignore that whole thing, and say trust this [certificate] only or perhaps trust only [certificates] signed by this [certificate Authority].

So for example, if you go to [google].com, your [user-agent] will [trust] the [certificate] if it's signed by [VeriSign], [Digicert], [Thawte], or the Hong Kong Post Office (and dozens others). But if you use (on newer versions) [Microsoft Windows] Update, it will __ONLY__ trust certificates signed by [Microsoft]. No Verisign, no Digicert, no Hong Kong Post office.

Also, some newer [user-agents] ([Chrome], for [example]) will do a variation of [{$pagename}] using the [Strict-Transport-Security] ([HSTS]) mechanism. They preload a specific set of public key hashes into this the HSTS configuration, which limits the valid certificates to only those which indicate the specified [Public Key].

!! Explicitly added [Certificate Authority]
A [certificate] which is signed by a [Certificate Authority] which was __explicitly__ added to the [Trust Anchor Store] will not be affected by the [{$pagename}] checks. 

This is deliberately done to allow useful and legal SSL interception. Such interception can be found in most enterprise firewalls but also lots of desktop AV and is needed to scan HTTPS traffic for malware etc. If this would not be done malware delivery would simply move to HTTPS


[{$pagename}] is one attempt reduce the [Public Key Infrastructure Weaknesses] [Attack Surface]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>