Collaborate Disseminate
With a client side java application that interacts with the server over http, is it possible to handle certificate pinning strictly at the network layer? Meaning, if the certificate is pinned on a load balancer that handles the connection … Continue reading Can certificate pinning be achieved strictly at the network layer?
What are common mechanisms to ensure that a device firmware is not only properly signed, but actually signed by the correct device manufacturer? In TLS communications, certificate pinning or public key pinning is used. But if… Continue reading Certificate pinning for device firmware signing
Assuming I have certA with public key puA. Assume that certA has expired and I want a new certificate, certB, still with puA as the cert’s public key is pinned in an application.
How can I get a new cert, with the same publi… Continue reading Renewed certificates and public key pinning using Vault CA
I have seen many implementations of certificate pinning for HTTPS connections originated from client-side apps running on mobile devices using native libraries and plugins.
I would like to know whether such certificate pinni… Continue reading Certificate Pinning for WebSockets
What is the SockJS way of pinning SSL Certificates in the client side when contacting wss:// to avoid CA trust?
FYI, when using modules like HTTPS or WS, we can listen to the socket event and then on secureConnect, we can ge… Continue reading Certificate Pinning with SockJS
A number of popular mobile apps utilize certificate pinning, such as Facebook. Does this mean that these applications cease to function completely on corporate and academic networks that utilize SSL inspection, unless the adm… Continue reading Does SSL inspection break applications utilizing certificate pinning?
AWS recommends pinning their root certificate when implementing SSL pinning. My understanding is that SSL pinning for mobile applications mitigates a situation where an attacker has installed a malicious certificate on the de… Continue reading Why does pinning a CA root certificate not present a security risk?
As said here, certificate (or public key) pinning refers to a certificate (or a public key) which is hardcoded in the app that we want to protect and then compared to the one provided by the server.
But
Can we use the Subje… Continue reading Use subject key identifier for certificate pinning
The “Whitehat” settings will help researchers to analyze network traffic from its mobile apps by dialling back security settings. Continue reading Facebook’s Whitehat Settings lets bug-hunters dial back app security
Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications.
Since almost all Facebook-owned apps by default us… Continue reading New Settings Let Hackers Easily Pentest Facebook, Instagram Mobile Apps