Certificate Pinning: The Double-Edged Sword of TLS Security

Development
#Security #Certificate #TLS

Certificate pinning emerged as a security technique to combat man-in-the-middle attacks and rogue Certificate Authorities. By hardcoding expected certificate information into applications, developers can ensure connections only succeed when communicating with legitimate servers. However, this enhanced security comes with significant operational complexity and risk. A misconfigured pin or expired certificate can render applications unusable, requiring emergency updates and frustrated users. This exploration examines certificate pinning across browsers, mobile applications, and backend services. We’ll dissect the certificate chain hierarchy, evaluate what elements to pin, and understand the trade-offs between security and operational flexibility. Drawing from real-world incidents and industry practices, we uncover why certificate pinning is both powerful and dangerous.

Understanding the Certificate Chain

Before diving into pinning strategies, understanding the certificate chain structure is essential. TLS certificates don’t exist in isolation—they form a hierarchical chain of trust from your server’s certificate up to a trusted root authority.

The Three-Tier Hierarchy

TLS certificate chains typically consist of three levels, each serving a distinct purpose:

📝Certificate Chain Structure

Leaf Certificate (End-Entity Certificate)

  • The certificate installed on your web server or application
  • Contains your domain name (e.g., example.com)
  • Has the shortest lifetime (currently 398 days maximum, moving to 47 days by 2029)
  • Signed by an intermediate certificate
  • Most frequently replaced certificate in the chain Intermediate Certificate
  • Issued by the root CA to sign leaf certificates
  • Acts as a buffer between root and leaf certificates
  • Typical lifetime: 3-10 years
  • Can be revoked without affecting the root’s trust
  • Multiple intermediates may exist in a chain Root Certificate
  • Self-signed certificate at the top of the chain
  • Embedded in operating systems and browsers
  • Extremely long lifetime: 15-25 years
  • Rarely changed due to distribution challenges
  • Compromise requires OS/browser updates to remove The chain works through cryptographic signatures. The root CA signs the intermediate certificate, the intermediate signs your leaf certificate, and clients verify each signature up the chain until reaching a trusted root in their certificate store.

Why This Hierarchy Exists

The three-tier structure isn’t arbitrary—it provides critical operational and security benefits:

💡Hierarchy Benefits

Root Certificate Protection

  • Root private keys kept offline in secure facilities
  • Minimizes exposure to compromise
  • Reduces operational risk from frequent signing operations Operational Flexibility
  • Intermediate certificates can be revoked without replacing roots
  • New intermediates can be issued without OS/browser updates
  • Allows CAs to segment operations (geographic, product lines) Risk Isolation
  • Compromise of intermediate limits damage scope
  • Leaf certificate compromise affects only specific domains
  • Layered security reduces single points of failure This hierarchy becomes crucial when deciding what to pin. Each level offers different trade-offs between security and operational flexibility.

Certificate Pinning Across Platforms

Certificate pinning implementation varies significantly across browsers, mobile applications, and backend services. Each platform has different capabilities, constraints, and use cases that influence pinning strategies.

Browser Pinning: Limited and Declining

Modern browsers have largely moved away from supporting custom certificate pinning for web applications:

⚠️Browser Pinning Reality

HTTP Public Key Pinning (HPKP) - Deprecated

  • Introduced in 2015 to allow websites to specify pinned certificates
  • Deprecated by Chrome in 2017, removed in 2018
  • Firefox and other browsers followed suit
  • Reason: Too dangerous—misconfiguration could permanently break websites Current Browser Approach
  • Browsers maintain their own pin lists for high-value domains
  • Google pins its own domains (google.com, gmail.com, etc.)
  • Preloaded pins compiled into browser code
  • Not available for third-party websites Why HPKP Failed
  • Misconfigured pins locked users out of websites
  • Attackers could use HPKP for ransom attacks
  • No recovery mechanism for broken pins
  • Operational burden outweighed security benefits For web applications, certificate pinning is effectively unavailable. Browsers rely on the standard CA trust model with additional protections like Certificate Transparency.

Mobile Application Pinning: Common but Risky

Mobile applications represent the primary use case for certificate pinning today:

📝Mobile Pinning Characteristics

iOS Implementation

  • Native support via NSURLSession and App Transport Security
  • Can pin certificates or public keys
  • Implemented in application code
  • Requires app update to change pins Android Implementation
  • Network Security Configuration (Android 7.0+)
  • Declarative XML configuration
  • Can pin certificates or public keys
  • Also requires app update to change pins Common Use Cases
  • Banking and financial applications
  • Healthcare apps handling sensitive data
  • Enterprise applications with high security requirements
  • Apps communicating with known, controlled servers Mobile pinning makes sense when you control both the client and server, can coordinate updates, and the security benefits justify the operational complexity.

Backend Service Pinning: Controlled Environments

Backend services communicating with other backend services represent another pinning scenario:

💡Backend Pinning Advantages

Controlled Environment

  • Both client and server under your control
  • Coordinated certificate updates possible
  • Automated deployment reduces update friction Microservices Communication
  • Service-to-service authentication
  • Mutual TLS (mTLS) with pinning
  • Zero-trust architecture implementation API Client Libraries
  • SDKs communicating with specific APIs
  • Known certificate infrastructure
  • Can bundle pins with library updates Backend pinning is less risky than mobile pinning because updates can be deployed rapidly without user involvement.

The Pinning Dilemma: What to Pin

Choosing what to pin involves balancing security against operational flexibility. Each option—root, intermediate, or leaf certificate—presents distinct trade-offs.

Pinning the Leaf Certificate: Maximum Security, Maximum Risk

Pinning your server’s leaf certificate provides the strongest security but creates significant operational challenges:

❌Leaf Certificate Pinning Risks

Frequent Rotation Required

  • Leaf certificates expire in 398 days (soon 47 days)
  • Every certificate renewal requires application update
  • With 47-day certificates: 7-8 updates per year minimum Emergency Scenarios
  • Private key compromise requires immediate certificate replacement
  • Application update required before new certificate deployed
  • Users on old app versions cannot connect
  • No graceful migration path Operational Burden
  • Coordinating certificate updates with app releases
  • Testing pin updates before deployment
  • Managing multiple app versions with different pins
  • High risk of breaking connectivity Leaf certificate pinning is rarely recommended except for extremely high-security scenarios where operational complexity can be managed.

Pinning the Intermediate Certificate: Balanced Approach

Pinning the intermediate certificate offers a middle ground:

📝⚖️ Intermediate Certificate Trade-offs

Advantages

  • Intermediate certificates last 3-10 years
  • Fewer application updates required
  • Leaf certificate rotation doesn’t affect pins
  • Reasonable security improvement over no pinning Disadvantages
  • CA can issue certificates for your domain using same intermediate
  • Doesn’t protect against CA compromise
  • Still requires updates when intermediate rotates
  • Multiple intermediates may exist (need to pin all) Best Practices
  • Pin current intermediate plus backup intermediate
  • Monitor CA announcements for intermediate changes
  • Plan updates well before intermediate expiration
  • Test with staging intermediates first Intermediate pinning is the most common approach for mobile applications, balancing security and operational feasibility.

Pinning the Root Certificate: Minimal Security Benefit

Pinning the root certificate provides the least security improvement:

⚠️Root Certificate Pinning Limitations

Limited Security Value

  • Root CA can issue certificates for any domain
  • Doesn’t prevent CA compromise attacks
  • Provides minimal protection over standard trust model
  • Only prevents attacks using different root CAs Operational Advantages
  • Root certificates last 15-25 years
  • Very infrequent updates required
  • Leaf and intermediate rotation doesn’t affect pins When It Makes Sense
  • Restricting to specific CAs (e.g., only trust DigiCert roots)
  • Reducing attack surface from compromised CAs
  • Compliance requirements for CA restrictions Root pinning is rarely worth the implementation effort given the minimal security improvement.

Rather than pinning entire certificates, pinning public keys offers superior flexibility:

✅Public Key Pinning Benefits

Certificate Rotation Without Pin Changes

  • New certificates can use the same key pair
  • Pin remains valid across certificate renewals
  • Reduces update frequency Backup Key Support
  • Generate backup key pair in advance
  • Pin both current and backup public keys
  • Switch to backup key if primary compromised
  • Provides emergency recovery path Implementation
  • Extract public key from certificate
  • Hash the public key (typically SHA-256)
  • Store hash in application
  • Compare during TLS handshake Public key pinning is the industry-recommended approach, providing security benefits while maintaining operational flexibility.

Implementing Public Key Pinning

The technical implementation involves extracting and hashing public keys:

# Extract public key from certificate
openssl x509 -in certificate.pem -pubkey -noout > pubkey.pem
# Generate SHA-256 hash of public key (SPKI format)
openssl x509 -in certificate.pem -pubkey -noout | \
  openssl pkey -pubin -outform der | \
  openssl dgst -sha256 -binary | \
  base64

The resulting base64-encoded hash is what you pin in your application. During TLS handshake, extract the server’s public key, hash it, and compare against your pinned hashes.

💡Key Management Best Practices

Always Pin Multiple Keys

  • Current production key
  • Backup key (pre-generated, securely stored)
  • Optionally: intermediate CA public key Key Rotation Strategy
  • Generate backup key when deploying new pins
  • Store backup key securely offline
  • When rotating, backup becomes primary, generate new backup
  • Update pins to include new backup before rotation Emergency Procedures
  • Document key compromise response procedures
  • Maintain ability to rapidly deploy app updates
  • Consider kill-switch or remote pin update mechanisms
  • Test emergency procedures regularly

The Common Name Trap: Don’t Pin by CN

Some developers attempt to implement pinning by validating the certificate’s Common Name (CN) or Subject Alternative Names (SAN). This approach is fundamentally flawed:

❌Why CN Pinning Fails

No Cryptographic Binding

  • CN is just a text field in the certificate
  • Any CA can issue certificates with your domain name
  • Doesn’t verify the certificate is actually yours
  • Provides zero security benefit Attack Scenario
  • Attacker compromises any trusted CA
  • Requests certificate for your domain (victim.com)
  • Certificate has correct CN but wrong public key
  • Your CN validation passes, attacker intercepts traffic What You’re Actually Validating
  • Standard TLS libraries already validate CN/SAN
  • You’re duplicating existing validation
  • Not adding any security layer
  • Creating maintenance burden for no benefit CN validation is not certificate pinning—it’s redundant validation that provides no security improvement.

What Actually Provides Security

Real certificate pinning validates cryptographic properties:

✅Cryptographic Validation

Public Key Pinning

  • Validates the actual cryptographic key
  • Cannot be forged without private key access
  • Provides real security against CA compromise Certificate Pinning
  • Validates entire certificate including signature
  • Ensures exact certificate match
  • Stronger than public key pinning but less flexible Certificate Chain Pinning
  • Validates intermediate or root certificates
  • Restricts which CAs can issue valid certificates
  • Balances security and operational flexibility The key insight: pin cryptographic material (keys, certificates), not metadata (CN, organization name).

Real-World Pinning Failures

Certificate pinning failures have caused high-profile outages, illustrating the operational risks:

⚠️Notable Pinning Incidents

Mobile Banking Apps

  • Certificate renewal forgotten, pins not updated
  • App update required before new certificate deployed
  • Thousands of users unable to access banking services
  • Emergency app update rushed through approval process Enterprise Applications
  • Intermediate certificate rotated by CA
  • Pins not updated in deployed applications
  • Entire mobile workforce unable to connect
  • Required emergency certificate rollback API Client Libraries
  • Pinned leaf certificate expired
  • All applications using library broken
  • Developers forced to update and redeploy
  • Service disruption across customer base These incidents share common themes: insufficient planning for certificate rotation, lack of backup pins, and underestimating the coordination required between certificate and application updates.

A Near-Miss: Testing Saves the Day

I once narrowly avoided a catastrophic outage through rigorous pre-rotation testing—and sheer persistence in the face of dismissal. Our mobile application used a hybrid pinning approach: it mapped Common Names to specific public key pins. While not ideal from a pure security perspective, this design provided operational flexibility—we could rotate certificates with the same CN without updating the app, as long as the public key remained pinned. During a routine certificate rotation, my team followed our standard procedure: test the new certificate in our staging environment before deploying to production. The test failed. Connections were rejected, and the app couldn’t communicate with our servers.

When Testing Teams Say “It’s Too Hard”

The testing team reported the failure but quickly dismissed it. “Certificate pinning is difficult to test,” they said. “We have pinning disabled in UAT anyway—that’s why we’re seeing failures. It’s probably just a configuration issue. We’ve tested everything else and it works fine.” This response troubled me deeply. They had disabled certificate pinning in UAT because “pinning failures are too common,” which meant their testing provided no validation of the actual production behavior. With only two hours remaining before the scheduled production release, I made the decision to investigate personally rather than accept the dismissal.

The UAT Pinning Gap

The testing team’s dismissive attitude revealed a dangerous practice: they had disabled certificate pinning in UAT (User Acceptance Testing) environments. Their reasoning was pragmatic but flawed—pinning made testing harder, so they removed it.

❌The Disabled Pinning Trap

Why They Disabled Pinning in UAT

  • “Certificate pinning is too difficult to test”
  • UAT certificates frequently changed or expired
  • Self-signed certificates used for testing
  • Testing team lacked access to update pins
  • “It slows down our testing cycle”
  • “We’ll catch real issues in production monitoring” The Dangerous Consequence
  • UAT testing validated nothing about certificate pinning
  • All pinning-related issues would only appear in production
  • False confidence from “successful” UAT testing
  • Production became the real test environment
  • Users would experience failures that testing never caught What Actually Happened
  • Testing team ran full test suite in UAT
  • All tests passed (because pinning was disabled)
  • They reported “ready for production release”
  • The certificate rotation would have broken production
  • Only my staging test with pinning enabled caught the issue I had insisted on maintaining a separate staging environment with certificate pinning enabled precisely to catch these issues. The testing team viewed this as redundant and overly cautious. This incident proved otherwise. I pulled up the code and began examining it line by line. The pinning logic, the CN mapping, the public key validation—every component needed scrutiny. The clock was ticking, but rushing the release without understanding the failure would be reckless. After an hour of investigation, I found it: the new certificate had a different Common Name structure than expected.
❌The Discovery (2 Hours Before Release)

What I Found in the Code

  • Certificate provider changed CN format during renewal
  • Old certificate: CN=api.example.com
  • New certificate: CN=*.example.com (wildcard)
  • App’s CN-to-pin mapping logic expected exact match
  • Wildcard CN didn’t match the hardcoded mapping
  • All connections would have been rejected The Impact If Deployed
  • Entire mobile user base unable to connect
  • No immediate fix without app update
  • App store approval process: 1-3 days minimum
  • Potential revenue loss and reputation damage
  • Emergency rollback would be only option The Timeline
  • Testing team reported failure but dismissed it
  • 2 hours remaining before scheduled release
  • Line-by-line code investigation revealed root cause
  • Release called off with 1 hour to spare
  • Disaster averted through persistence and investigation I immediately called off the certificate rotation with just an hour remaining before the scheduled release window. We worked with the certificate provider to issue a new certificate with the original CN format, maintaining consistency with our deployed application. The rotation was rescheduled and completed successfully after thorough testing confirmed the CN matched our expectations.

Lessons from the Near-Miss

This experience reinforced several critical principles, particularly about organizational culture and the importance of investigating failures rather than dismissing them:

✅Testing Best Practices

Never Disable Pinning in UAT

  • If pinning is enabled in production, it must be enabled in UAT
  • “It’s too hard to test” means you’ll discover issues in production
  • UAT must mirror production behavior exactly
  • Use production-like certificates in UAT
  • Maintain pin synchronization across environments
  • Accept the operational burden as necessary validation
  • If you can’t test it, you can’t deploy it safely Never Dismiss Test Failures
  • Certificate pinning failures are signals, not noise
  • “It’s too hard to test” is not an acceptable response
  • Investigate every failure to root cause
  • Don’t assume “it will work in production”
  • Insist on understanding why tests fail Always Test Before Rotation
  • Test new certificates in staging environment
  • Use actual application builds, not simulators
  • Verify all certificate properties: CN, SAN, public key, chain
  • Test with multiple app versions if possible
  • Document expected certificate properties
  • Investigate line-by-line if necessary Design for Operational Flexibility
  • CN-to-pin mapping provided flexibility for key rotation
  • Could update public keys without app updates (within same CN)
  • Reduced frequency of required app updates
  • Balanced security with operational reality Maintain Coordination
  • Document certificate requirements clearly
  • Communicate requirements to certificate providers
  • Verify certificate properties before accepting delivery
  • Have rollback procedures ready
  • Schedule rotations with adequate testing time The hybrid approach—using CN to map to public key pins—represented a pragmatic compromise. Pure public key pinning would have been more secure but required app updates for every key rotation. Pure CN validation would have provided no security. Our approach allowed us to rotate keys without app updates as long as the CN remained consistent, while still validating cryptographic properties through the pinned public keys.
💡Design Considerations

Proper Design Reduces Risk

  • Separate certificate identity (CN) from cryptographic validation (public key)
  • Allow multiple pins per CN for graceful rotation
  • Include backup pins in initial deployment
  • Design for certificate provider changes
  • Plan for emergency scenarios Documentation is Critical
  • Document pinning architecture and rationale
  • Maintain list of pinned CNs and public keys
  • Record certificate provider requirements
  • Create runbooks for rotation procedures
  • Share knowledge across team members Environment Configuration
  • Enable pinning in all environments including UAT
  • If testing team disables pinning, maintain separate staging with it enabled
  • Use environment-specific pins if necessary
  • Maintain pin configuration alongside certificate infrastructure
  • Don’t sacrifice test coverage for convenience
  • Accept that proper testing requires effort
  • If you can’t test with pinning enabled, you can’t safely deploy Cultural Considerations
  • Foster culture where test failures are investigated, not dismissed
  • Empower engineers to call off releases when issues are found
  • Allocate time for proper investigation before releases
  • Don’t accept “it’s too hard to test” as valid reasoning
  • Treat certificate rotations as high-risk changes This incident demonstrated that proper design and rigorous testing are not optional luxuries—they’re essential safeguards against self-inflicted outages. More importantly, it exposed the critical flaw in the testing team’s approach: they had disabled certificate pinning in UAT because it was “too hard to test,” which meant their testing validated nothing about production behavior. The testing team had run their full test suite and reported “ready for production.” All tests passed—because pinning was disabled. They had created a false sense of security through testing that didn’t reflect reality. Only my insistence on maintaining a separate staging environment with pinning enabled caught the issue. Without that, the first test of certificate pinning would have been in production, with thousands of users unable to connect. This incident validated a controversial decision: maintaining the operational burden of testing with pinning enabled. Many organizations disable pinning in testing environments because “failures are too common,” but this creates a dangerous gap where production becomes the real test environment. The difficulty of testing with pinning enabled is not a bug—it’s a feature that forces proper certificate management practices and catches issues before they reach users. The two hours spent investigating saved days of crisis management, emergency app updates, and potential business impact. Every certificate rotation should be treated as a high-risk operation requiring the same care and validation as a major code deployment. And every test failure deserves investigation, not dismissal—especially when dealing with certificate pinning where the consequences of failure are immediate and severe.

Testing Certificate Pinning: Don’t Take Shortcuts

The temptation to disable certificate pinning in non-production environments is strong, but it undermines the entire purpose of testing:

❌The Shortcut That Backfires

Common Justifications for Disabling Pinning in UAT

  • “Certificate pinning is too hard to test”
  • “We use self-signed certificates in UAT”
  • “Pinning failures are too common in testing”
  • “It slows down our testing cycle”
  • “Production certificates are different anyway” Why These Justifications Fail
  • Testing should validate production behavior
  • If it’s hard to test, it’s hard to operate
  • Common failures indicate real problems
  • Slow testing is better than production outages
  • Different certificates should still follow same pinning rules
✅Proper Testing Approach

Maintain Pinning in All Environments

  • Use production-like certificates in UAT
  • Keep pins synchronized across environments
  • Test certificate rotation procedures in UAT first
  • Validate that pinning logic works correctly
  • Catch configuration issues before production Accept the Operational Burden
  • Yes, it’s harder to manage certificates in UAT
  • Yes, it requires coordination between teams
  • Yes, it slows down some testing scenarios
  • But it prevents production disasters
  • The difficulty is the point—it forces proper practices Organizations that disable pinning in UAT often discover issues only in production, where the impact is severe and the recovery options are limited. The operational burden of maintaining pinning in test environments is far less than the cost of a production outage affecting thousands or millions of users.

When to Use Certificate Pinning

Given the risks, when does certificate pinning make sense?

📝Good Pinning Use Cases

High-Value Mobile Applications

  • Banking and financial services
  • Healthcare applications with PHI
  • Government and defense applications
  • When security justifies operational complexity Controlled Environments
  • Backend service-to-service communication
  • Enterprise applications with managed deployment
  • IoT devices with update mechanisms
  • When both client and server are under your control Threat Model Requirements
  • Protection against CA compromise is critical
  • Regulatory compliance mandates pinning
  • Targeted attack risk is high
  • Standard TLS trust model insufficient
❌Poor Pinning Use Cases

Public Websites

  • Browsers don’t support custom pinning
  • HPKP deprecated due to risks
  • Certificate Transparency provides alternative protection Applications Without Update Mechanisms
  • Cannot recover from pinning failures
  • Risk of permanent breakage
  • No graceful migration path Rapidly Changing Infrastructure
  • Frequent certificate rotation
  • Multiple certificate providers
  • Dynamic infrastructure (CDNs, load balancers)
  • Operational burden too high The decision to implement pinning should be based on careful threat modeling and honest assessment of operational capabilities.

Alternatives to Certificate Pinning

Before implementing pinning, consider alternative security measures:

💡Alternative Security Measures

Certificate Transparency

  • Public log of all issued certificates
  • Detect unauthorized certificates for your domains
  • Monitor CT logs for unexpected issuance
  • No operational burden on applications CAA DNS Records
  • Specify which CAs can issue certificates for your domain
  • Prevents unauthorized CAs from issuing certificates
  • Simple DNS record, no application changes
  • Supported by all major CAs Mutual TLS (mTLS)
  • Client certificates for authentication
  • Stronger than pinning for service-to-service communication
  • Both parties authenticate each other
  • Common in zero-trust architectures Enhanced Monitoring
  • Monitor certificate issuance via CT logs
  • Alert on unexpected certificate changes
  • Detect attacks without pinning risks
  • Provides visibility without operational burden These alternatives often provide better security-to-complexity ratios than certificate pinning.

Conclusion

Certificate pinning represents a powerful security technique that comes with significant operational risks. By hardcoding expected certificates or public keys into applications, you can protect against CA compromise and man-in-the-middle attacks. However, this protection comes at the cost of operational flexibility and the risk of self-inflicted outages. The key decisions in certificate pinning revolve around what to pin and how to manage the lifecycle. Pinning leaf certificates provides maximum security but requires frequent updates as certificates rotate. Pinning intermediate certificates balances security and operational feasibility, making it the most common approach for mobile applications. Pinning root certificates provides minimal security benefit and is rarely justified. Public key pinning offers the best balance, allowing certificate rotation without pin updates while maintaining cryptographic validation. The Common Name trap illustrates a fundamental misunderstanding of certificate security. Validating CN or SAN fields provides no security benefit—these are metadata that any CA can include in certificates. Real security comes from validating cryptographic properties: public keys, certificate signatures, and chain validation. CN validation is redundant with standard TLS validation and creates a false sense of security. Real-world pinning failures demonstrate the operational risks. Mobile banking apps broken by forgotten certificate renewals, enterprise applications disrupted by CA intermediate rotation, and API libraries rendered useless by expired pins all share common themes: insufficient planning, lack of backup pins, and underestimating coordination complexity. These incidents often cause more damage than the attacks pinning aims to prevent. The decision to implement pinning should be based on careful threat modeling. High-value mobile applications in controlled environments with managed deployment represent good use cases. Public websites, applications without update mechanisms, and rapidly changing infrastructure are poor candidates. Alternative security measures—Certificate Transparency, CAA records, mutual TLS, and enhanced monitoring—often provide better security-to-complexity ratios. Certificate pinning is a double-edged sword. Used appropriately in controlled environments with robust operational processes, it enhances security against sophisticated attacks. Used carelessly or in inappropriate scenarios, it creates operational fragility and self-inflicted outages. The industry trend toward shorter certificate lifetimes makes pinning increasingly challenging, reinforcing the importance of public key pinning over certificate pinning and the value of alternative security measures. Before implementing certificate pinning, ask yourself: Does my threat model justify the operational complexity? Do I have the processes and tools to manage pin updates reliably? Can you maintain pinning enabled across all environments including UAT? Are there alternative security measures that provide similar protection with less risk? The answers to these questions should guide your pinning strategy—or your decision to avoid pinning altogether. And if you do implement pinning: never disable it in testing environments just because it’s “too hard.” That difficulty is your early warning system, catching problems before they reach production. Embrace the operational burden as the price of proper security validation.