On 27/09/17 18:51, Eliezer Croitoru wrote:
What exactly do you mean by proof of concept for such an attack?
With commodity hardware and normal budget you cannot attack pinned certificate.
The only "efficient" way to enable such an attack would be to patch the client
side OS memory or Binary.
Pinning is _supposed_ to be disabled in cases where the certificate
presented by the website is signed by a root certificate that was
imported by the user, rather than in the device's default certificate
store. So in theory, a website with a pinned certificate can still be
man-in-the-middled by Squid in the usual way, since Squid's CA
certificate would have been manually imported into the device.
In practice, web browsers tend to follow this rule, but apps don't - for
example, you can MITM communications between Chrome and Facebook's
servers, but you can't MITM communications between the Facebook Android
app and Facebook's servers.
The situation is further complicated by the fact that Android 7 disables
the use of the user's trusted certificate store by all applications
unless they specifically opt into it. This renders Squid's sslbump
functionality practically useless for those devices, even though the
user has consented to being MITM'd by importing Squid's CA certificate.
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
(For what its worth, our business is supplying esafety systems to
schools, and we are of the opinion that Google have ruled Android
devices out of the British education sector because schools cannot meet
the UK government's safeguarding requirements when Android 7 devices are
in use on their network).
--
- Steve Hill
Technical Director
Opendium Online Safety / Web Filtering http://www.opendium.com
Enquiries Support
--------- -------
sa...@opendium.com supp...@opendium.com
+44-1792-824568 +44-1792-825748
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
