Another implementation of iOS Cert Pinning: https://github.com/iSECPartners/ssl-conservatory
On Thu, Jan 23, 2014 at 12:13 PM, Tommy-Carlos Williams <to...@devgeeks.org>wrote: > Marcel, > > Are you saying that CordovaWebviewClient.onReceivedSslError can’t get the > actual cert? > > Oh… the SslCertificate object returned by SslError.getCertificate is > mostly about the DN. > > *sigh* > > I’ll have a look and see if I can come up with something. Back to the > proverbial. > > > - tommy > > > > > > > > On 24 Jan 2014, at 4:34 am, Marcel Kinard <cmarc...@gmail.com> wrote: > > > Although Moxie's point may be a bit radical, I think it is a valid > scenario. > > > > It would be nice implement this. I'd even be willing to do it, since I > have a customer that wants this too. I'm familiar only with Android, but > I'm still struggling to see a way to do this there: the > CordovaWebViewClient.onReceivedSslError method will get called only for > self-signed certs (so it doesn't cover the full pinning scenario that has a > valid CA), but even if you are OK with that the cert data available doesn't > include the server's public key (the self DN and issuer DN isn't > authoritative enough to do the pin comparison). > > > > If there are implementation alternatives I'm missing, I'm all ears. > > > > On Jan 22, 2014, at 8:08 PM, Tommy-Carlos Williams <to...@devgeeks.org> > wrote: > > > >> I am reconsidering the “deal breaker” status of only working with > self-signed certs. > >> > >> In one of the articles I have been using as a reference[1], Moxie > Marlinspike actually prefers the option of doing away with the CAs entirely > for mobile apps and doing exactly that[2]. > >> > >> I can certainly think of a way that it would work better for our use > case. The only use case harmed would be wanting to pin the certs of third > party services like Parse, etc. > >> > >> I guess it comes down to… is it better to do something for some people > than nothing for anyone. If it could be done in a way that only impacted > those that opted in, surely the former beats the latter. > >> > >> - tommy > >> > >> > >> > >> 1. > http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ > >> 2. > http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/#option_1_wipe_the_page_clean > > > >
