cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Kinard <cmarc...@gmail.com>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Mon, 13 Jan 2014 21:26:15 GMT
I can see this being nice for scenarios similar to ssh's StrictHostKeyChecking option where
DNS or other infrastructure may not be trusted, and for internal enterprise networks that
use self-signed certs as long as they put the cert (or the cert's sha1 as you propose) in
the app at build time.

It's improved security that would be purely optional, and quite easy to set up.

+1

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

On Jan 12, 2014, at 6:21 AM, Tommy-Carlos Williams <tommy@devgeeks.org> wrote:

> TL;DR: I am proposing to add certificate pinning at least to iOS and Android, and help
on any implementations for other platforms in any way I can.
> 
> (Longer version)
> 
> There is an existing issue for certificate pinning [1] from back in May of 2013 and it's
something that I need for all of our apps and even any I might make for myself in the future.
> 
> The last year or two have seen a pretty serious rise in both actual exploits and awareness
around the topic of security. There was an article tweeted around recently about someone auditing
mobile bank apps and found that "40% of the audited apps did not validate the authenticity
of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks"
[2]. 
> 
> If certificate pinning is something good, and we can make it easy to implement, surely
that would be a good thing? The whitelist is all well and good, but most people are probably
leaving the default "*" and even if they didn't, it wouldn't protect them from MitM attacks.
> 
> There *is* an existing plugin that attempts to do this for Cordova / PhoneGap [3][4],
but it has a pretty massive and fairly obvious flaw. It simply checks the certificate then
reports back in its callback. At first this might seem OK, but as someone pointed out in an
issue [5], an attacker "could wait until the server is validated before adding the MITM server,
circumventing the security check". I am no security expert, so if I could think of a way to
get around this, then it's not very secure.
> 
> What I am proposing, is adding certificate pinning to Cordova itself so that the *actual*
requests are checked (much like the whitelist). Not some initial request, or having to try
and do two requests for every request (still leaving open the hole I spoke of above).
> 
> I am looking for buy-in from the list, but I am also interested in discussion on the
best way to do it (and test it).
> 
> My initial proposal is to use SHA1 fingerprints (much like Eddy's plugin above [6]) as
opposed to trying to get devs to embed an entire cert file in their app. The easier it is
to use the more likely people are to use it. If they can get the fingerprint from any site
they want to safely access by simply using Chrome/Safari/etc, or a basic cli command, that
would be best. I envisage devs being able to even pin the certs for third party services like
Parse etc.
> 
> A simple config.xml directive with key/value pairs of any hosts/fingerprints should be
all a dev needs to use this feature.
> 
> - tommy
> 
> 
> 
> 1. https://issues.apache.org/jira/browse/CB-3498
> 2. http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
> 3. http://www.x-services.nl/certificate-pinning-plugin-for-phonegap-to-prevent-man-in-the-middle-attacks/734
> 4. https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin
> 5. https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin/issues/5
> 6. https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin#3-usage


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message