As we create a website/application to run on a server and pin a certificate into the code, we always connect to that server securely. There are three things that the client and server must agree upon:

(1) How will keys be exchanged?

(2) How will data be encrypted?

(3) How will messages be marked as authentic?

But what if someone intercepts the communication and serves a different website, it then becomes difficult to differentiate from the original one. It is the shady certificate, termed as a man-in-the-middle attack. Another one is DNS poisoning. Your client-side code will validate it even after serving a different domain – easy spoofing. You're able to communicate with the attacker, who blocked the communication with the server and checked all the data. Let’s find out more about SSL pinning basics!