2Şub
Will this certificate Pinning plan work as expected?
I have a mobile app deployed to millions of user in both Android and iOS.
My Security dpto rotates our certs once a year.
Our certs are issued by GlobalSign.
I would like to pin the certificate without having to worry about the rotation of those, so I would like to:
- Pin the Root public key
- Pin the leaf FQDN (CN)
The idea is: With the guarantee that the CN is what I expect it to be and the chain leads to my FQDN, I could be certain that im talking to my real backend without having to go through hoops and mass redeploy when the certificate rotates.
I know that im exposed to:
a) somehow Globalsign is hacked b) someone getting access to my account at GS and issuing another certificate for my FQDN...
but other than those, what other attacks I could suffer?