It’s not just for self-signed certs either. Google Chrome already does a variation of this (hardcoded) for Google’s certs.
I envisage developers being able to pin the certs for their own servers, but even for services they use over SSL like parse.com and other BaaS provides. The reason I am proposing the SHA1 fingerprint over the .cer file is that it’s easier to get the fingerprint and include a string in a config.xml directive than it is to include a .cer file. The easier it is to use, the more likely devs will use it. - tommy On 14 Jan 2014, at 8:16 am, Andrew Grieve <agri...@chromium.org> wrote: > I think the proposal is to include a white-list of self-signed certs > within apps (or is it to use *only* the whitelist and reject otherwise > valid certs?). > > I think it'd be great to have this feature. It's certainly been asked > for several times. > > The referenced plugin certainly is a good reference to how to get at > the certificates. I don't know whether use the SHA1 of the public > certificate, or just a .cer file is easier, but I think they are both > easy-enough and I don't believe you lose any security by using a SHA1. > > So, this all sounds great to me! > > > > On Mon, Jan 13, 2014 at 2:29 PM, Brian LeRoux <b...@brian.io> wrote: >> So, sort of like CRSF tokens except the other way around. ??? >> >> I might be misunderstanding but would it not be better to treat the server >> as trusted and the client generally as untrusted. Given there is no cross >> platform key stores the certs are effectively plaintext (but I could be >> misunderstanding the impl). >> >> >> On Sun, Jan 12, 2014 at 3:21 AM, Tommy-Carlos Williams >> <to...@devgeeks.org>wrote: >> >>> TL;DR: I am proposing to add certificate pinning at least to iOS and >>> Android, and help on any implementations for other platforms in any way I >>> can. >>> >>> (Longer version) >>> >>> There is an existing issue for certificate pinning [1] from back in May of >>> 2013 and it's something that I need for all of our apps and even any I >>> might make for myself in the future. >>> >>> The last year or two have seen a pretty serious rise in both actual >>> exploits and awareness around the topic of security. There was an article >>> tweeted around recently about someone auditing mobile bank apps and found >>> that "40% of the audited apps did not validate the authenticity of SSL >>> certificates presented. This makes them susceptible to Man in The Middle >>> (MiTM) attacks" [2]. >>> >>> If certificate pinning is something good, and we can make it easy to >>> implement, surely that would be a good thing? The whitelist is all well and >>> good, but most people are probably leaving the default "*" and even if they >>> didn't, it wouldn't protect them from MitM attacks. >>> >>> There *is* an existing plugin that attempts to do this for Cordova / >>> PhoneGap [3][4], but it has a pretty massive and fairly obvious flaw. It >>> simply checks the certificate then reports back in its callback. At first >>> this might seem OK, but as someone pointed out in an issue [5], an attacker >>> "could wait until the server is validated before adding the MITM server, >>> circumventing the security check". I am no security expert, so if I could >>> think of a way to get around this, then it's not very secure. >>> >>> What I am proposing, is adding certificate pinning to Cordova itself so >>> that the *actual* requests are checked (much like the whitelist). Not some >>> initial request, or having to try and do two requests for every request >>> (still leaving open the hole I spoke of above). >>> >>> I am looking for buy-in from the list, but I am also interested in >>> discussion on the best way to do it (and test it). >>> >>> My initial proposal is to use SHA1 fingerprints (much like Eddy's plugin >>> above [6]) as opposed to trying to get devs to embed an entire cert file in >>> their app. The easier it is to use the more likely people are to use it. If >>> they can get the fingerprint from any site they want to safely access by >>> simply using Chrome/Safari/etc, or a basic cli command, that would be best. >>> I envisage devs being able to even pin the certs for third party services >>> like Parse etc. >>> >>> A simple config.xml directive with key/value pairs of any >>> hosts/fingerprints should be all a dev needs to use this feature. >>> >>> - tommy >>> >>> >>> >>> 1. https://issues.apache.org/jira/browse/CB-3498 >>> 2. >>> http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html >>> 3. >>> http://www.x-services.nl/certificate-pinning-plugin-for-phonegap-to-prevent-man-in-the-middle-attacks/734 >>> 4. https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin >>> 5. >>> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin/issues/5 >>> 6. >>> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin#3-usage
