Security Foundations
White Papers
TrustPin is built on proven security research and addresses the fundamental challenges identified in OWASP’s Certificate and Public Key Pinning guidelines.
Built on OWASP Security Research
Our solution addresses the critical challenges identified by Mark Gamache and Kevin Wall in their foundational OWASP research on Certificate and Public Key Pinning.
OWASP Certificate and Public Key Pinning
Authors: Mark Gamache and Kevin Wall
This foundational research identified critical vulnerabilities in traditional PKI models and established the security principles that guide modern certificate pinning implementations.
Security Threats Addressed by TrustPin
PKI Trust Model Vulnerabilities
Traditional PKI assumes trust in numerous Certificate Authorities, creating attack vectors through 'trickery and bribery' of CAs.
Hostile Network Environments
Standard certificate validation insufficient in environments where network infrastructure may be compromised.
Certificate Authority Compromise
Multiple trusted CAs create opportunities for attackers to obtain rogue certificates through various means.
Solving Traditional Pinning Challenges
The OWASP research identified critical implementation challenges. TrustPin provides modern solutions to each of these problems.
OWASP Challenge: Synchronization Risks
Keeping client-side pinsets and server keys synchronized in real-time is extremely difficult
TrustPin Solution
Automated signed configuration delivery via CDN ensures instant global synchronization
OWASP Challenge: Certificate Rotation Complexity
Certificate rotation becomes extremely complex and requires precise coordination
TrustPin Solution
Zero-downtime certificate updates without app store releases or forced updates
OWASP Challenge: Trust on First Use Weakness
HTTP Public Key Pinning (HPKP) failed due to Trust on First Use security weakness
TrustPin Solution
Cryptographically signed configurations eliminate trust on first use vulnerabilities
OWASP Challenge: Corporate Environment Issues
Incompatibility with corporate TLS inspection environments
TrustPin Solution
Configurable validation modes support corporate and development environments
OWASP-Compliant Advanced Implementation
TrustPin implements the best practices recommended in the OWASP research, while adding modern improvements for operational efficiency.
Out-of-Band Delivery
TrustPin delivers pinsets through signed configurations, separate from main communication channels
JWS Cryptographic Signatures
Uses JSON Web Signature (JWS) for secure, verifiable configuration delivery as recommended by OWASP
Controlled Mobile Environments
Optimized for mobile applications where pinning provides maximum security benefit with minimal operational risk
Why TrustPin Succeeds Where Others Failed
OWASP Conclusion vs. TrustPin Reality
OWASP Research Conclusion:
"Considering the current risks in the CA and browser space and comparing them to the risk of downtime, pinning is not recommended."
TrustPin’s Innovation:
We eliminated the 'risk of downtime' by solving certificate rotation without app updates, making pinning not just viable, but essential for modern security.
Zero Operational Risk
Remote certificate updates eliminate downtime concerns
Maximum Security Benefit
All the protection of pinning without the operational burden
Implement OWASP-Compliant Security Today
Experience the security benefits of certificate pinning without the operational complexity