Certificates

Shippit uses automated certificate rotation and TLS version management practices to provide a secure and reliable experience. Avoid certificate pinning and adhere to these recommendations to make sure that your application remains secure and resilient to changes.

Certificate rotation

SSL and TLS certificates are regularly rotated to ensure the ongoing security of the Shippit APIs. This is a standard security practice that minimises the risk associated with compromised or outdated certificates.

Shippit automatically rotates certificates, which means that certificates are often renewed before their set expiration dates. Certificate changes can cause problems with your various applications and integrations, so Shippit always communicates significant changes in advance, through the developer portal, release notes, or direct email communications.

TLS version management

Shippit updates the TLS certificate version regularly, and currently supports TLS 1.2 and higher. For the best security, your application should also use TLS 1.2 or higher.

Shippit adopts new TLS versions as they’re released and deemed secure by industry standards. Changes are always communicated in advance, through the developer portal, release notes, or direct email communications.

Certificate pinning

Certificate pinning is when you hardcode certificate or public key information in your application. Pinning creates a tight coupling between your application and a specific certificate. When Shippit rotates the certificate, your application stops working until you have updated the pinned certificate details. This can lead to downtime and increased maintenance overhead.

Important: Don’t use certificate pinning for Shippit APIs.

If a certificate becomes compromised, or a vulnerability is discovered, it is important that Shippit can quickly rotate the certificate. If you use certificate pinning, your application could remain vulnerable until you manually issue an update. Additionally, managing pinned certificates across multiple applications and environments is complex, error-prone, and can significantly increase the risk of misconfiguration and security breaches.

As an alternative to certificate pinning:

  • Use your system trust store. Your operating system or runtime environment uses built-in trust stores to validate the Shippit API certificates. This ensures that your application automatically trusts certificates issued by trusted certificate authorities (CAs).
  • Validate the hostname. Make sure that your application verifies the server name in the certificate against the API endpoint’s hostname. This protects against man-in-the-middle attacks.
  • Use TLS 1.2 or higher. Configure your application to use TLS 1.2 or higher for secure communication
  • Stay updated. Keep your application libraries and runtime environment up to date to ensure that you have the latest security patches and TLS support.
  • Monitor announcements. Regularly monitor the developer portal and release notes for announcements regarding certificate rotations and TLS version updates.