[Fed-Talk] OT: [android-security-discuss] Android 4.2 and Pinning
[Fed-Talk] OT: [android-security-discuss] Android 4.2 and Pinning
- Subject: [Fed-Talk] OT: [android-security-discuss] Android 4.2 and Pinning
- From: Jeffrey Walton <email@hidden>
- Date: Mon, 26 Nov 2012 14:37:10 -0500
Sorry about the off topic thread. This is important due to all the
problems with infrastructure on mobile devices. Folks in the Federal
arena and DoD might be interested in increasing assurances on the
channel by pinning public keys when available. The discussion includes
steps to have Google pin an a public key in the web browser.
Pinning leverages the pre-existing relationship between a user and a
site. Pinning is similar to SSH's StrictHostKeyChecking option. Public
key pinning is now a draft status RFC (). Recall that Chrome did not
suffer Diginotar's failure because Chrome pinned its expected public
key.
It's not only bad guys who will use infrastructure defects to subvert
the secure channel. Users will do it too:
http://www.zdnet.com/apple-mac-in-app-purchases-hacked-everything-free-like-on-ios-7000001323/.
What I'm not clear about: is this available to only Chrome and
com.android.browser? Or is it more general purpose, where libcore-ssl
is providing it everywhere.
Jeff
---------- Forwarded message ----------
From: Geremy Condra <email@hidden>
Date: Sun, Nov 18, 2012 at 8:21 PM
Subject: Re: [android-security-discuss] Android 4.2 and Pinning
To: Simon Dieterle <email@hidden>
Cc: Android Security Discussions
<email@hidden>, email@hidden
On Sun, Nov 18, 2012 at 5:00 PM, Simon Dieterle <email@hidden> wrote:
>
> Heyho,
>
> What do i have to do to use it?
If you're a user of the device, nothing. The platform will
automatically pin connections based on a pin list we provide. For most
users that list will currently be empty, but as we become more
confident that we aren't breaking good connections we'll be providing
additional pins.
If you're an application developer and just want to pin your own
connections you should either implement a custom TrustManager or use
the new http://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html
extensions and check the list of certificates you get back out of it.
Finally, if you're a website owner and you want to be pinned, please
send an email to email@hidden.
Thanks,
Geremy Condra
>
>
> On Sunday, November 18, 2012 9:12:53 PM UTC+1, Geremy Condra wrote:
>>
>> Hey Jeffrey,
>>
>> Yep, we pin to the public key that issued the certificate.
>>
>> Thanks,
>> Geremy Condra
>>
>>
>> On Sun, Nov 18, 2012 at 10:36 AM, Jeffrey Walton <email@hidden> wrote:
>>>
>>> Hi All/Nick.
>>>
>>> According to About Jelly Bean
>>> (http://developer.android.com/about/versions/jelly-bean.html),
>>> libcore SSL supports pinning:
>>>
>>> "Certificate Pinning — The libcore SSL implementation now supports
>>> certificate pinning. Pinned domains will receive a certificate
>>> validation failure if the certificate does not chain to a set of
>>> expected certificates. This protects against possible compromise of
>>> Certificate Authorities."
>>>
>>> I know it tells me certificate pinning, but is that public key
>>> pinning? I've been running tests on encrypted.google.com and gmail.com
>>> for the last 18 months or so. Google rotates its certificates
>>> regularly, but the underlying public key is static.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden