Collaborate Disseminate
I use Google Firebase Services. I am thinking about using only https on mobile to send and receive a payload from my server. I will have RSA encryption with a public key on all clients. So when a client wants to call my server, it’ll only … Continue reading Using application encryption instead of relying on HTTPS
Public key pinning is deprecated. Is there still some way to pin keys on browsers like chrome, edge, firefox?
For chrome I can add sites to a hsts or expect-ct list. But there is no way to pin keys or certificates. You can only query them…. Continue reading How to pin public keys in current browsers
How can I execute docker pull (with Docker Content Trust enabled) such that it fails if the image doesn’t have a valid signature using the private key corresponding to (or subordinate to) the public key that I provide?
I just discovered th… Continue reading How to pin public root key when downloading an image with docker pull (Docker Content Trust)?
I’m trying to intercept a SSLv3 connection between a PlayStation 3 client and an authentication server of and outdated game to reverse engineer its protocol.
I already tried to set up a simple MITM attack and copied every value from the or… Continue reading Force public key collision to break certificate pinning
I’m trying to analyze a SSLv3 connection. The certificate of the server has a "MD5 with RSA" signature. So I was setting up a local man in the middle attack by setting up a local DNS server that would return a local IP address to… Continue reading Forge certificate for man in the middle attack
It looks like certificates with extended validation provide better protection than certificate pinning, but I’m unsure about this.
Can you do anything other than patching apps’ compiled-code/cert-files (which is app-specific, requires manual analysis and patching + super-user/root) to intercept TLS traffic of apps that use certificate pinning?
The answer seems to be … Continue reading Is there no way to bypass certificate pinning without patching apps?
We are rolling out a new mobile app. Our security team recommends us to pin the public key in order to avoid MITM. iOS already has CT checks and we can enable that for the Android app as well.
The security team’s arguments for pinning ar… Continue reading HTTP Public Key Pinning vs Certificate Transparency, which is better and why?
I have an app which connects to an API. The API TLS certificate is about to expire and we are using Public key Pinning.
How do I rotate the certs without disabling access to our users?
When rotating certs; can I change the private key w… Continue reading Rotating TLS Certs used with Public key Pinning
I am debugging my Windows app which has SSL/TLS pinning, and i want to bypass/remove it so i can debug the endpoints. How could I get the CLIENT_HANDSHAKE that the app uses?
I can definitely patch the app but not the code because it would… Continue reading How can i bypass SSL/TLS pinning in my app?