No certificate pinning is in place

Certificate pinning should be in place to prevent - or at least make it harder - to install malicious certificates for the Mojang login servers.

There is malware around that abuses exactly this flaw (currently to be found at hxxp://cubehacks.tk/minecraft/).

Let me explain what it does:

The downloadable software (currently at hxxp://cubehacks.tk/downloads/Alt%20Loader.rar) contains a bat script that changes the Windows hosts file and adds custom entries for the Minecraft authentication servers:

185.57.189.11 sessionserver.mojang.com
185.57.189.11 authserver.mojang.com

It then replaces the Minecraft cacert keystore with a custom version that includes these malicious certificates:

authserver.mojang.com, Nov 7, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 2B:CB:5C:BE:1B:2B:EE:3E:1A:FD:0E:2D:3E:83:F3:FE:27:C5:C3:34

and

sessionserver.mojang.com, Nov 7, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 16:7A:09:F5:54:D8:30:41:ED:D9:C7:9E:97:14:5E:EE:71:96:3E:A9

In practice, this means all login requests for Minecraft are now sent to the attacker, rather than to the legitimate authentication servers.

There's also a jar file which I haven't analyzed.