I was reading through Certificate Transparency (CT) and its capabilities to monitor use and abuse of certificates. I am wondering if CT can detect SSL Pinning bypass in Mobile application (in case of Web Application for that matter). Request you to enlighten me on this. If yes, how? if no, why?
TL;DR
CT can not detect bypass of SSL Pinning in your mobile applications
CT and SSL Pinning are two different things. In SSL Pinning you are ensuring that either certificate hash/public key hash received during TLS handshake matched with the one pinned within the application to ensure that you only trust a whitelisted certificate instead of trusting everything in the device trust store whereas through CT we perform cryptographic checks to ensure if we received a valid SCT(Signed Certificate Timestamp) and log server pushed the cert entries to a public append-only log so as to ensure that there is no rouge cert generated for our domains by malicious trusted CA or through the compromise of a CA.
Also, note that with CT we only ensure that the certificates issued by PUBLIC CAs were issued legitimately whereas while performing MITM to intercept app traffic/bypassing pinning we use the certificate of proxy server(Charles/Burp/ZAP) which is not a public CA and hence the checks are not enforced through CT
Related
we have developed Ionic app, in that SSL pinning using advancedHttpPlugin but still, the security team was able to use a third party tool Burp Suite to install a CA in the mobile and track the application, they provided below message for fixing the issue.
Secure Socket Layers (SSL), or Transport Layer Security (TLS) in its more modern implementation, are protocols designed to provide security for network communication by means of encryption. This protocol is most commonly associated with other protocols to provide a secure implementation of the service that protocol provides. Certificate pinning is the process of associating the backend server with a particular X.509 certificate or public key instead of accepting any certificate signed by a trusted certificate authority. After storing ("pinning") the server certificate or public key, the mobile app will subsequently connect to the known server only. Withdrawing trust from external certificate authorities reduces the attack surface (after all, there are many cases of certificate authorities that have been compromised or tricked into issuing certificates to impostors). a) In order to make your communication safer, explicitly compare the SSL certificate used for the connection with an expected client-side certificate.
On Ionic, is there any other method we need to include to also restrict Burp CA?
Please help me to fix this, Thanks In advance.
Let's say that I have an app that transmits some sensitive info to my server. I want to reduce the risk of a man-in-the-middle attack on my users, so I pin the keys used by my server in the Network Security Configuration file.
But, let's say a user of my app does not trust the CA that issued our certificate, and has removed it from the list of trusted CAs, or maybe an OS update removes the CA because it has been found to be behaving badly.
Ideally, in such a case I would like my app to refuse to connect to the server. I only want it to make the connection if the certificate presented by the server is signed with a key in the pinset AND comes from a CA that is trusted by the OS/user. Does pinning a key in the network security config file accomplish this? Or, are pinned keys trusted no matter what?
The HPKP instructs the browser to store the signature for your server certificate for the period of time you specify. Using HPKP does not replace the standard certificate validation.
In your scenario the pinned PK in the browser will be valid for the server certificate your server is presenting, but the actual certificate validation will fail since the CA is not trusted.
In my application I am using the AndroidHttpClient to send an https request to the server. In order to avoid man-in-the-middle attack, we may need to check whether the SSL certificate is issued by a trusted authority. Is there any way we can achieve this without using the HttpsURLConnection and certificate pinning in client ?
The android application needs to trust all the certificates issued by the trusted CA's.
I am working on an Email app on Android. When we connect to Server which presents us a self-signed certificate, and we do not have it in our Trust manager then we show a verbose message to the user telling about the potential risk trusting this certificate like MITM.
But if user still consents to trust this certificate anyways, then we use an Insecure trust manager, that trusts any certificate for this connection.
This just increases the probability of MITM attacks.
To mitigate this (to some extent), we store the serial number and the issuer DN of the certificate locally.
Now next time when user try to connect to this server we check for the equality of serial number + issuer DN of the certificate with the one we have locally.
Is this a right approach/solution to the given problem?
Or is there something else we can do?
P.S. One solution can be that the user get the certificates and add to the default trust manager by installing it. But this will be beyond the scope of my app.
I want to perform extra validation for SSL connections I make in an android app.
Basically I need to be able to:
See if the certificate of the remote host I am connected to has Extended Validation (EV) status
Find out the root certificate authority for the certificate of the remote end. E.g. I want to know if it is a VeriSign certificate or not.
To elaborate a bit more, I am writing a client that needs a high level of security and our organization is using EV certificates from VeriSign on all servers. I want to prevent any compromised certificate authority, or anyone that can fool a certificate authority to forge a certificate for our domain be able to hijack the application.
Is this doable and if so, how? Is there a way to get more information about the certificate of the remote end from a URLConnection object or a HTTPClient object and so on?
First: you can't possibly 'prevent any compromised certificate authority' from issuing a certificate for your domain. If it is compromised, they can issue whatever they want. What you can do is create a trust store with a limited number of trusted CA certificates, say, VeriSign only. That way, even if an related CA is compromised and issues a cert for your domain, it wouldn't matter since you don't trust it in the first place. That would also take care of second bullet. To have additional checks you need to implement and install your own X509TrustManager. Check the JSSE reference guide for details.