cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tommy-Carlos Williams <to...@devgeeks.org>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Mon, 13 Jan 2014 21:42:59 GMT
It’s not just for self-signed certs either.

Google Chrome already does a variation of this (hardcoded) for Google’s certs.

I envisage developers being able to pin the certs for their own servers, but even for services
they use over SSL like parse.com and other BaaS provides.

The reason I am proposing the SHA1 fingerprint over the .cer file is that it’s easier to
get the fingerprint and include a string in a config.xml directive than it is to include a
.cer file. The easier it is to use, the more likely devs will use it.

- tommy


On 14 Jan 2014, at 8:16 am, Andrew Grieve <agrieve@chromium.org> wrote:

> I think the proposal is to include a white-list of self-signed certs
> within apps (or is it to use *only* the whitelist and reject otherwise
> valid certs?).
> 
> I think it'd be great to have this feature. It's certainly been asked
> for several times.
> 
> The referenced plugin certainly is a good reference to how to get at
> the certificates. I don't know whether use the SHA1 of the public
> certificate, or just a .cer file is easier, but I think they are both
> easy-enough and I don't believe you lose any security by using a SHA1.
> 
> So, this all sounds great to me!
> 
> 
> 
> On Mon, Jan 13, 2014 at 2:29 PM, Brian LeRoux <b@brian.io> wrote:
>> So, sort of like CRSF tokens except the other way around. ???
>> 
>> I might be misunderstanding but would it not be better to treat the server
>> as trusted and the client generally as untrusted. Given there is no cross
>> platform key stores the certs are effectively plaintext (but I could be
>> misunderstanding the impl).
>> 
>> 
>> On Sun, Jan 12, 2014 at 3:21 AM, Tommy-Carlos Williams
>> <tommy@devgeeks.org>wrote:
>> 
>>> TL;DR: I am proposing to add certificate pinning at least to iOS and
>>> Android, and help on any implementations for other platforms in any way I
>>> can.
>>> 
>>> (Longer version)
>>> 
>>> There is an existing issue for certificate pinning [1] from back in May of
>>> 2013 and it's something that I need for all of our apps and even any I
>>> might make for myself in the future.
>>> 
>>> The last year or two have seen a pretty serious rise in both actual
>>> exploits and awareness around the topic of security. There was an article
>>> tweeted around recently about someone auditing mobile bank apps and found
>>> that "40% of the audited apps did not validate the authenticity of SSL
>>> certificates presented. This makes them susceptible to Man in The Middle
>>> (MiTM) attacks" [2].
>>> 
>>> If certificate pinning is something good, and we can make it easy to
>>> implement, surely that would be a good thing? The whitelist is all well and
>>> good, but most people are probably leaving the default "*" and even if they
>>> didn't, it wouldn't protect them from MitM attacks.
>>> 
>>> There *is* an existing plugin that attempts to do this for Cordova /
>>> PhoneGap [3][4], but it has a pretty massive and fairly obvious flaw. It
>>> simply checks the certificate then reports back in its callback. At first
>>> this might seem OK, but as someone pointed out in an issue [5], an attacker
>>> "could wait until the server is validated before adding the MITM server,
>>> circumventing the security check". I am no security expert, so if I could
>>> think of a way to get around this, then it's not very secure.
>>> 
>>> What I am proposing, is adding certificate pinning to Cordova itself so
>>> that the *actual* requests are checked (much like the whitelist). Not some
>>> initial request, or having to try and do two requests for every request
>>> (still leaving open the hole I spoke of above).
>>> 
>>> I am looking for buy-in from the list, but I am also interested in
>>> discussion on the best way to do it (and test it).
>>> 
>>> My initial proposal is to use SHA1 fingerprints (much like Eddy's plugin
>>> above [6]) as opposed to trying to get devs to embed an entire cert file in
>>> their app. The easier it is to use the more likely people are to use it. If
>>> they can get the fingerprint from any site they want to safely access by
>>> simply using Chrome/Safari/etc, or a basic cli command, that would be best.
>>> I envisage devs being able to even pin the certs for third party services
>>> like Parse etc.
>>> 
>>> A simple config.xml directive with key/value pairs of any
>>> hosts/fingerprints should be all a dev needs to use this feature.
>>> 
>>> - tommy
>>> 
>>> 
>>> 
>>> 1. https://issues.apache.org/jira/browse/CB-3498
>>> 2.
>>> http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
>>> 3.
>>> http://www.x-services.nl/certificate-pinning-plugin-for-phonegap-to-prevent-man-in-the-middle-attacks/734
>>> 4. https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin
>>> 5.
>>> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin/issues/5
>>> 6.
>>> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin#3-usage


Mime
View raw message