cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Mon, 27 Jan 2014 20:18:48 GMT
Another implementation of iOS Cert Pinning:
https://github.com/iSECPartners/ssl-conservatory



On Thu, Jan 23, 2014 at 12:13 PM, Tommy-Carlos Williams
<tommy@devgeeks.org>wrote:

> Marcel,
>
> Are you saying that CordovaWebviewClient.onReceivedSslError can’t get the
> actual cert?
>
> Oh… the SslCertificate object returned by SslError.getCertificate is
> mostly about the DN.
>
> *sigh*
>
> I’ll have a look and see if I can come up with something. Back to the
> proverbial.
>
>
> - tommy
>
>
>
>
>
>
>
> On 24 Jan 2014, at 4:34 am, Marcel Kinard <cmarcelk@gmail.com> wrote:
>
> > Although Moxie's point may be a bit radical, I think it is a valid
> scenario.
> >
> > It would be nice implement this. I'd even be willing to do it, since I
> have a customer that wants this too. I'm familiar only with Android, but
> I'm still struggling to see a way to do this there: the
>  CordovaWebViewClient.onReceivedSslError method will get called only for
> self-signed certs (so it doesn't cover the full pinning scenario that has a
> valid CA), but even if you are OK with that the cert data available doesn't
> include the server's public key (the self DN and issuer DN isn't
> authoritative enough to do the pin comparison).
> >
> > If there are implementation alternatives I'm missing, I'm all ears.
> >
> > On Jan 22, 2014, at 8:08 PM, Tommy-Carlos Williams <tommy@devgeeks.org>
> wrote:
> >
> >> I am reconsidering the “deal breaker” status of only working with
> self-signed certs.
> >>
> >> In one of the articles I have been using as a reference[1], Moxie
> Marlinspike actually prefers the option of doing away with the CAs entirely
> for mobile apps and doing exactly that[2].
> >>
> >> I can certainly think of a way that it would work better for our use
> case. The only use case harmed would be wanting to pin the certs of third
> party services like Parse, etc.
> >>
> >> I guess it comes down to… is it better to do something for some people
> than nothing for anyone. If it could be done in a way that only impacted
> those that opted in, surely the former beats the latter.
> >>
> >> - tommy
> >>
> >>
> >>
> >> 1.
> http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/
> >> 2.
> http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/#option_1_wipe_the_page_clean
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message