To summarize what app developers can do about this kind of thing, using pinning is one approach that works well. An app can use pinning to enforce the use of a certain subset of certificate authorities that the system supports. ChatSecure does this on iOS and Android, for example. On Android we use Moxie Marlinspike's AndroidPinning library to make a whitelist of trusted Certificate Authorities (CAs). For connections not signed by one of those trusted CAs, the user can optionally trust it in TOFU/POP style (e.g. self-signed, cacert.org, etc).
Chrome and Firefox now have pinning features (HSTS) that allow websites to set up pins. There are plans for allowing a website to specify a required signing key (e.g. one trusted Certificate Authority). Chrome already includes pins that require all Google sites to have been signed by their trusted Certificate Authority. Firefox also includes some pins like this. More info here: https://www.imperialviolet.org/2011/05/04/pinning.html https://blog.mozilla.org/security/2014/09/02/public-key-pinning/ https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning .hc Nathan of Guardian wrote: > This is directly relevant to the IRC discussion about pinning and > ChatSecure from yesterday. > > ----- Original message ----- > From: Percy Alpha <[email protected]> > To: liberationtech <[email protected]> > Subject: [liberationtech] China Internet Network Information Center is a > trusted root CA > Date: Tue, 28 Oct 2014 14:27:32 +0800 > > I'm Percy from GreatFire.org; the author of the report of the iCloud > MITM > in China > <http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/apples-icloud-service-suffers-cyber-attack-in-china-putting-passwords-in-peril/> > last > week. The attacks used self-signed certificate. But I believe that > targeted > attacks using CNNIC CA is very possible if not happened already. > > Microsoft, Apple, Ubuntu and Firefox trust CNNIC(China Internet Network > Information Center) as root CA. CNNIC has implemented (and tried to > mask) > internet censorship, produced malware and has very bad security > practices. > Tech-savvy users in China have been protesting the inclusion of CNNIC as > a > trusted certificate authority for years. > > You can go to > https://en.greatfire.org/blog/2014/oct/apple-and-microsoft-trust-chinese-government-protect-your-communication > to see more details and test whether you're vulnerable. We also present > method to revoke all dubious Chinese CA. > > Percy Alpha(PGP <https://en.greatfire.org/contact#alt>) > GreatFire.org Team > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
