Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cordova.apache.org
Received-SPF: pass (nike.apache.org: domain of tommy@devgeeks.org designates
 209.85.160.45 as permitted sender)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Subject: Re: Adding SSL Certificate Pinning to Cordova
From: Tommy-Carlos Williams <tommy@devgeeks.org>
In-Reply-To: <D9B67F18-1EA5-4D22-A5B5-223BE49639D5@gmail.com>
Date: Fri, 24 Jan 2014 07:13:55 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <A2530D7F-7817-4A01-84BB-CF102F55BE05@devgeeks.org>
References: <A65B7E34-307D-4D70-A6F1-23B64AC9F308@devgeeks.org>
 <CADVgkyMWmEg+6BgD7L3vpwtobeO8fNOt56C7GV9-Bc1zrPMe6Q@mail.gmail.com>
 <CABiQX1WrUM3J8FHTdQH6ohMAB_bPkWeYYpBHtk-U5O7a4GPnGA@mail.gmail.com>
 <CEAC1C59-574F-4422-984E-702BA264C96C@devgeeks.org>
 <B1CFDB90-D851-46BF-AD37-C2553F19F4FC@gmail.com>
 <4C3AE595-7B77-4240-A364-2D1D8C3F4487@devgeeks.org>
 <CAOBL_k7E1Wj27QAc7AaH-otQsjtFG6+1oppo0wmqsXXaEhfPrw@mail.gmail.com>
 <CABiQX1XyUqYqfLwR7tksYhNcG+sj-28CJ0zWwCwqUFPj3OFLiQ@mail.gmail.com>
 <B82C9A4A-4AA7-44DD-A87E-52BED742A927@devgeeks.org>
 <CABiQX1UbYcx3LmHk1H9HZyTiEOJ6Y+yiSS6SLc4vN6tS8rOvFg@mail.gmail.com>
 <466D534D-C4C2-4242-8E15-ECC08F3DFD2B@gmail.com>
 <FCB58BD9-E81D-4F8A-ADEA-27A515179CAB@gmail.com>
 <CAPTyS6CkQkoSBoPVj2QgZU4zkGTataT+dAWL3crD6QvdAk=yOw@mail.gmail.com>
 <0AC46520-9B83-4934-8E4B-BCEAC44F2DFE@devgeeks.org>
 <D9B67F18-1EA5-4D22-A5B5-223BE49639D5@gmail.com>
To: dev@cordova.apache.org

Marcel,

Are you saying that CordovaWebviewClient.onReceivedSslError can=92t get =
the actual cert?

Oh=85 the SslCertificate object returned by SslError.getCertificate is =
mostly about the DN.

*sigh*

I=92ll have a look and see if I can come up with something. Back to the =
proverbial.


- tommy


On 24 Jan 2014, at 4:34 am, Marcel Kinard <cmarcelk@gmail.com> wrote:

> Although Moxie's point may be a bit radical, I think it is a valid =
scenario.
>=20
> It would be nice implement this. I'd even be willing to do it, since I =
have a customer that wants this too. I'm familiar only with Android, but =
I'm still struggling to see a way to do this there: the  =
CordovaWebViewClient.onReceivedSslError method will get called only for =
self-signed certs (so it doesn't cover the full pinning scenario that =
has a valid CA), but even if you are OK with that the cert data =
available doesn't include the server's public key (the self DN and =
issuer DN isn't authoritative enough to do the pin comparison).
>=20
> If there are implementation alternatives I'm missing, I'm all ears.
>=20
> On Jan 22, 2014, at 8:08 PM, Tommy-Carlos Williams =
<tommy@devgeeks.org> wrote:
>=20
>> I am reconsidering the =93deal breaker=94 status of only working with =
self-signed certs.
>>=20
>> In one of the articles I have been using as a reference[1], Moxie =
Marlinspike actually prefers the option of doing away with the CAs =
entirely for mobile apps and doing exactly that[2].
>>=20
>> I can certainly think of a way that it would work better for our use =
case. The only use case harmed would be wanting to pin the certs of =
third party services like Parse, etc.
>>=20
>> I guess it comes down to=85 is it better to do something for some =
people than nothing for anyone. If it could be done in a way that only =
impacted those that opted in, surely the former beats the latter.
>>=20
>> - tommy
>>=20
>>=20
>>=20
>> 1. =
http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-ap=
p-ha/
>> 2. =
http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-ap=
p-ha/#option_1_wipe_the_page_clean
>=20