Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić
-
Upload
denisinfinum -
Category
Technology
-
view
420 -
download
1
description
Transcript of Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić
SSL pinning
What is SSL?• First, what happens when you make an SSL
connection?!
• The client checks that the server’s certificate has a verifiable chain to a root cert!
• The certificate matches the host name!
• It does NOT check if that is your certificate
What is SSL pinning?• In a nutshell -
checking if the server’s certificate is exactly the certificate you expect it to be!
• Additional layer of security vs MITM attacks!
Pinning possibilites• Pin a certificate!
• Where you match a certificate to a certificate!
• The app needs to be updated every time you renew the certificate!
• Pin a public key!
• Where you match a public key!
• The app needs to be updated only if the renewed certificate has a different key
Technical implementation• In iOS, using AFNetworking!
• What you’ll need!
• an iOS app,!
• AFNetworking,!
• a binary certificate to pin.
Technical implementation• How to recognise a binary vs base64 certificate?!
• It does not look like this:!
• Luckily, the above base64 can easily be converted by running the following command:
-----BEGIN CERTIFICATE----- 394230AFDFD4A9EFD... -----END CERTIFICATE-----
openssl x509 -in base64.crt -outform der -out binary.cer
Technical implementation• Add the certificate to your apps resources bundle!
• Set your security policy to the pinning mode of your choice:!
• [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate];!
• [securityPolicy setSSLPinningMode:AFSSLPinningModePublicKey];!
• Done!
Pitfalls• Don’t pin the root certificate or the entire bundle!
• Certificates need to be in the same project bundle as AFNetworking!
• If not, add them manually:NSString *cert = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]; NSData *certData = [[NSData alloc] initWithContentsOfFile:cert]; !policy.pinnedCertificates = @[certData, nil];
Further reading• https://www.owasp.org/index.php/
Certificate_and_Public_Key_Pinning!
• http://nsscreencast.com/episodes/73-ssl-pinning!
• http://blog.lumberlabs.com/2012/04/why-app-developers-should-care-about.html
I know kung fu.