cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
terpsfanatic
Newcomer II

certificate pinning - is it a good thing?

This is a topic that comes up more than a few times in exam preparation, either as a control or a possible mitigation.

 

I ask because a lot of the CBK is 10 years old and strategies like certificate pinning were common back then.  But some of these strategies have been re-examined and found to have flaws.  Certificate pinning is one of them.  Digicert recommends to stop certificate pinning  because at times keys have been exposed and outages can occur when certificates expire.  Even OWASP tries to steer you towards public key pinning rather than certificate pinning.

 

For the purposes of the CSSLP is certificate pinning considered a deprecated control or should I just think back to 10 years ago when a question pops up 😉  I think the answer to this is yes because I see it in the official curriculum. But in 2023, no one is recommending this practice anymore.  Perhaps the CBK needs to be updated.

1 Reply
denbesten
Community Champion

First of all, I can virtually guarantee that there would not be a question "Is cert pinning a good thing?".   That is way to much like a trivia question for an (ISC)² exam.  (ISC)² exams are much more about "problem solving" and "applied knowledge".   

 

Second, exams are refreshed every 3 years, so what matters with the CSSLP (in theory) is not the state of the art in 2013, but rather what it was on Sep 15, 2020 (and soon, Sep 15, 2023).  But, even that rule of thumb fails because when a question stops performing well (e.g. high-scoring exam takers tend to pick the same "wrong" answer), the question is removed from the pool and put on the "fix me" pile.

 

Third, the "Official Guide" is but one of about 25 references used to build the CSSLP exam. And, the exam is written by certificate holders, not (ISC)² nor textbook authors.  So, I would not put much weight in one (old) reference that does not match current practice, regardless of its author.