End-to-end certificate pinning

We claim: 1. A method comprising: establishing a first content provider as a valid originating source of first content for a content distribution server by pinning at the content distribution server, the first content provider to a first certificate authority of a plurality of certificate authorities, wherein each of the plurality of certificate authorities issues security certificates verifying identity of different content providers, and wherein the first certificate authority issues one or more security certificates verifying identity of the first content provider; receiving at the content distribution server in response to a request for first content of the first content provider, second content with a security certificate issued by one of the plurality of certificate authorities, wherein said security certificate verifies said second content as originating from the first content provider; accepting said second content at the content distributor as an original copy of the first content based on (i) identifying an originating certificate authority of the security certificate received with said second content and (ii) matching said originating certificate authority to the first certificate authority set as the issuing certificate authority for the first content provider as a result of said establishing and pinning; and rejecting said second content at the content distributor in response to detecting interception of said request by an attacker impersonating the first content provider and the second content to be a fraudulent or altered copy of the first content, wherein said detecting comprises determining a mismatch between the originating certificate authority issuing the security certificate received with said second content and the first certificate authority set as the issuing certificate authority for the first content provider as a result of said establishing and pinning. 2. The method of claim 1 , wherein said pinning identifies the first certificate authority as a source that successfully verified identity of the first content provider. 3. The method of claim 2 further comprising modifying a pinset of at least one user browser, wherein said modifying comprises adding a third certificate authority of the plurality of certificate authorities as a source that has successfully verified identity of the content distribution server distributing said content on behalf of the first content provider. 4. The method of claim 3 , wherein said modifying of the pinset causes the user browser to accept content from the content distribution server provided with a security certificate identifying the third certificate authority, and rejecting content from the content distribution server provided with a security certificate identifying a certificate authority other than the third certificate authority. 5. The method of claim 1 , wherein said pinning comprises linking one of the first certificate authority's name, canonical name, and domain name to the first content provider. 6. The method of claim 1 further comprising differentiating between issuance of the security certificate from the first certificate authority and the second certificate authority from hashing a security certificate feature of said security certificate. 7. The method of claim 6 , wherein said security certificate feature is the subject public key information (SPKI). 8. The method of claim 1 , wherein accepting said second content comprises hashing the SPKI of the security certificate and accepting the second content in response to a result of said hashing matching a first identifier from said pinning. 9. The method of claim 1 , wherein accepting said second content comprises caching a copy of the second content and redistributing the cached copy in response to a user request for the first content. 10. The method of claim 1 further comprising pinning a different second content provider to a third certificate authority of the plurality of certificate authorities. 11. The method of claim 10 further comprising accepting content issued with a third security certificate verifying content origination from the second content provider when the third security certificate is issued by the third certificate authority. 12. A method for performing end-to-end certificate pinning by a content distributor distributing content on behalf of a particular content provider to different clients, the method comprising: securing end-to-end delivery of said content over a first path between the particular content provider and the content distributor by pinning at the content distributor, the particular content provider to a first certificate authority of a plurality of certificate authorities, wherein pinning the particular content provider comprises configuring a first identifier identifying the first certificate authority as the certificate authority issuing a security certificate to the particular content provider; securing end-to-end delivery of said content over a second path between the content distributor and the different clients by pinning within a client browser of the different clients, the content distributor to a different second certificate authority of the plurality of certificate authorities, wherein pinning the content distributor comprises modifying a pinset of said client browser with a second identifier identifying the second certificate as the certificate authority issuing a content distributor security certificate; submitting from the content distributor, a request for content of the particular content provider; receiving in response to said request at the content distributor, the content with a first security certificate; and providing secure end-to-end delivery of said content from the particular content provider to a client requesting said content from the content distributor with said client browser, wherein said providing comprises: (i) forwarding the content with a different second security certificate comprising the second identifier to said client in response to said content distributor receiving said content with the first security certificate comprising an identifier matching the first identifier pinned for the particular content provider at the content distributor, wherein said identifier matches the first identifier when the first certificate authority pinned to the particular content provider issues the first security certificate accompanying the content, and (ii) rejecting the content in response to said receiving providing the first security certificate with an identifier not matching the first identifier pinned for the particular content provider, wherein said identifier does not match the first identifier when a certificate authority other than the first certificate authority pinned to the particular content provider issues the first security certificate accompanying said content. 13. The method of claim 12 , wherein configuring the first identifier comprises receiving the first identifier from the particular content provider. 14. The method of claim 12 , wherein configuring the first identifier comprises receiving a security certificate from the particular content provider in advance of submitting said request, and generating the first identifier by hashing a feature of said security certificate. 15. The method of claim 14 , wherein said feature is the security certificate SPKI. 16. The method of claim 12 further comprising detecting the first security certificate to be fraudulently issued when the first security certificate omits the first identifier. 17. The method of claim 16 , wherein said detectin