1

I have seen many implementations of certificate pinning for HTTPS connections originated from client-side apps running on mobile devices using native libraries and plugins.

I would like to know whether such certificate pinning implementations are available for websockets. In the client side (say a mobile device or web browser), can we actually implement certificate pinning for websockets?

If such approach is available, it would be really nice to have an explanation, ideally with links to resources/ articles/ code snippets/ libraries.

Thilina Ashen Gamage
  • 1,367
  • 1
  • 12
  • 21

1 Answers1

0

With web sockets it is possible to send HTTP headers.

HTTP Public Key Pinning (HPKP) is an Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise

HTTP Public Key Pinning is just a HTTP header on the server side.

On the client side, which really depends on the language/runtime, you might have to implement it yourself.

When talking about a browser as a client:

the initial attempt to establish the websocket connection still happens over a standard HTTP request and requires a standard HTTP request to be properly established. As a result, the browser should still respect any response headers sent back down by the websocket server when initially establishing a connection.

StackExchange - Information Security: Certificate Pinning for WebSockets

Daniel Fisher lennybacon
  • 3,865
  • 1
  • 30
  • 38