Email provider Posteo is one of the first German online service providers to use a brand new concept to make encryption on the web more secure.
Certificate pinning is a relatively young standard that has come in to restore trust in encryption on the web. A very simple intervention for the server itself can prevent most cases of certificate misuse. Posteo becomes the first larger German service to test this concept in practice.
The security of a TLS connection is based on the fact that you are actually connected to the correct partner. So-called certification authorities (CAs) guarantee this, by checking the identity of a service provider, certifying it with their digital signature. The problem is that there are too many CAs, and the list of those that have abused this trust is long. Recently, Symantec, Verisign, Thawte and RapidSSL were found to have issued certificates to Google domains for test purposes and without authorisation. With certificate pinning, a server operator can determine which certificates a browser should accept for its domain in future. It works with Chrome, Firefox and Opera, but Internet Explorer, Edge and Safari have not yet implemented the internet standard for public key pinning extension for HTTP (RFC 7469). On the server side, the implementation of pinning is not yet widely in use. Some large services such as Google, Facebook and Twitter use it, but don’t use pins anchored in the browser. Internet services that use dynamic HTTP public key pinning (HPKP) are currently still hard to find. Posteo is one of the first German providers to implement it in its current practice. Checking the header delivered by the server reveals the entry, Public-Key-Pins: pin-sha256=“HuTEMYw…”, which nails down the Posteo certificate. More on how certificate pinning functions, how to set it up yourself and things to note can be found in the “SSL wird sicherer” article (in German) in the current issue of c’t.