tls – need an Alternative to ssl pinning for web applications


It is unclear what exactly you want to prevent. MITM is only possible if the client side explicitly trusts the MITM (i.e. corporate proxy on firewall vs. attacker). So an attack against the client is not easily possible. Additionally HSTS can be explicitly said which makes overriding certificate warnings impossible on modern browsers.

You can also require a client certificate issued by a CA you control. This certificate is impossible to simply replicate by a MITM. And is thus effective against MITM in corporate proxies where the proxy CA was added as trusted to each clients CA store but where the proxy usually does not retrieve client certificates installed on the client. If there is a risk that the client certificate gets retrieved one can back it by a smart card so that physical representation of the smart card in the client is needed and nobody can replicate the client certificate. Of course, this makes it more complex since somehow the client must get and install the client certificate first.

If your goal is instead to prevent the client itself from reverse engineering or manipulating the application protocol by running some local MITM proxy (i.e. Burp or others) then neither client certificate nor SSL pinning would help. The client has full control over its site and can provide the proxy with the client certificate or could disable SSL pinning. In this case one could only try to obfuscate the protocol to make reverse engineering harder and to keep all important state and computation on the server side to protect against local modifications on the client side.