Collaborate Disseminate
my question is about using mTLS for API access control and authentication.
I understand in mTLS, both the server and client (making the API request) will verify each other’s identity. This allows the server to verify if the client certific… Continue reading Using mTLS for API access control and authentication
Recently, I read news about Facebook acquired the Onavo VPN company to monitor Snapchat users’ traffic. It seems they executed a Man-in-the-Middle attack by replacing the certificate. But could they have executed the same attack if Snapcha… Continue reading Can a VPN company perform a MiTM attack if SSL Pinning is in place?
I have a mobile app deployed to millions of user in both Android and iOS.
My Security dpto rotates our certs once a year.
Our certs are issued by GlobalSign.
I would like to pin the certificate without having to worry about the rotation of… Continue reading Will this certificate Pinning plan work as expected?
Is there any way I could inspect the traffic from an untrusted device connected to my network? I would like to get a router that has ssl inspection capabilities, where I could check the https packets sent through it, to check if cheap devi… Continue reading Router level SSL Inspection
For example, let’s say my backend address is api.xyz.com, and I have a mobile application. This application sends requests to api.xyz.com. The application employs SSL pinning, where it pins the certificate it easily obtained from api.xyz.c… Continue reading How can I enhance the security of SSL pinning in my mobile app to prevent certificate exposure?
I am currently using this code to have the public key pinning
OkHttpClientFactory okHttpClientFactory = () -> {
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(domain, "sha256/… Continue reading How to get Certificate’s Subject Public Key from CSR
I have hosted an api on an AWS Windows server, imported ssl certificates from a known CA, and made https mandatory.
Then built a client app that is an executable, then pinned the public key hash for all requests from this app to the server… Continue reading Is Certificate Pinning safe and worthwhile for an API server that will only accept requests from an android application?
According to the OWASP Cheat Sheet on Certificate Pinning, their recommendation is to pin to the leaf certificate, but also pin to the intermediate CA as a backup.
Any security measure is only as good as its weakest link, so in this case i… Continue reading Benefits of certificate pinning to leaf with intermediate as a backup?
I would like to know the process of how public keys/certificates are renewed for a website. I understand the concept of CA (Certificate Authority) chains, and how the public key/certificate for a site is signed by a CA (usually an intermed… Continue reading SSL/x509 certificate/public key expiration [duplicate]
In the domain of mobile application, certificate pinning topic is still relevant. I am trying to get opinions on best alternatives, because certificate pinning needs the storage of public keys within the mobile app, which is taken to be an… Continue reading Public Key Certificate Pinning alternatives