cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tommy-Carlos Williams <to...@devgeeks.org>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Thu, 23 Jan 2014 20:13:55 GMT
Marcel,

Are you saying that CordovaWebviewClient.onReceivedSslError can’t get the actual cert?

Oh… the SslCertificate object returned by SslError.getCertificate is mostly about the DN.

*sigh*

I’ll have a look and see if I can come up with something. Back to the proverbial.


- tommy







On 24 Jan 2014, at 4:34 am, Marcel Kinard <cmarcelk@gmail.com> wrote:

> Although Moxie's point may be a bit radical, I think it is a valid scenario.
> 
> It would be nice implement this. I'd even be willing to do it, since I have a customer
that wants this too. I'm familiar only with Android, but I'm still struggling to see a way
to do this there: the  CordovaWebViewClient.onReceivedSslError method will get called only
for self-signed certs (so it doesn't cover the full pinning scenario that has a valid CA),
but even if you are OK with that the cert data available doesn't include the server's public
key (the self DN and issuer DN isn't authoritative enough to do the pin comparison).
> 
> If there are implementation alternatives I'm missing, I'm all ears.
> 
> On Jan 22, 2014, at 8:08 PM, Tommy-Carlos Williams <tommy@devgeeks.org> wrote:
> 
>> I am reconsidering the “deal breaker” status of only working with self-signed
certs.
>> 
>> In one of the articles I have been using as a reference[1], Moxie Marlinspike actually
prefers the option of doing away with the CAs entirely for mobile apps and doing exactly that[2].
>> 
>> I can certainly think of a way that it would work better for our use case. The only
use case harmed would be wanting to pin the certs of third party services like Parse, etc.
>> 
>> I guess it comes down to… is it better to do something for some people than nothing
for anyone. If it could be done in a way that only impacted those that opted in, surely the
former beats the latter.
>> 
>> - tommy
>> 
>> 
>> 
>> 1. http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/
>> 2. http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/#option_1_wipe_the_page_clean
> 


Mime
View raw message