Certificate Pinning – Page 8

How do mobile apps prevent HTTPS MITM attacks when the user installs the attacker’s CA certificate?

Posted on August 16, 2018 by K48

I am using a mobile app that installs a fake trusted CA certificate and therefore can capture the HTTPS traffic of other apps. Most of the time, this MITM attack is successful.

However, I noticed that some apps are more secu… Continue reading How do mobile apps prevent HTTPS MITM attacks when the user installs the attacker’s CA certificate?→

Robust SSL pinning on IoT device with Let’s Encrypt

Posted on July 26, 2018 by Pixel

I would like to implement SSL pinning on ESP8266. Since leaf certificate is changing quite often I would like to check for which domain leaf was issued and check that root belong Let’s Encrypt.

To which property should I pin… Continue reading Robust SSL pinning on IoT device with Let’s Encrypt→

Arduino SSL public key pinning [on hold]

Posted on June 10, 2018 by abed

I am developing an Arduino application that communicates with my web server over SSL.

I have successfully done certificate pinning as described in this tutorial:
https://www.google.com/amp/s/techtutorialsx.com/2017/11/18/esp… Continue reading Arduino SSL public key pinning [on hold]→

Can lack of certificate pinning be considered a vulnerability?

Posted on March 14, 2018 by Filipe Rodrigues

The use of certificate (or public key) pinning can be considered as a good practice for defense in depth, since it protects an application from man in the middle and DNS hijacking attacks. But can it be considered a flaw in t… Continue reading Can lack of certificate pinning be considered a vulnerability?→

Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?

Posted on February 4, 2018 by Kevin Morssink

I’m trying to understand DANE and TLSA records more accurately. Is it fair to call DANE the DNS-variant of (or at least a very similar technique to) HTTP Public Key Pinning (HPKP)?

Because with HPKP a SSL certificate can be… Continue reading Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?→

Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?

Posted on February 4, 2018 by Kevin Morssink

I’m trying to understand DANE and TLSA records more accurately. Is it fair to call DANE the DNS-variant of (or at least a very similar technique to) HTTP Public Key Pinning (HPKP)?

Because with HPKP a SSL certificate can be… Continue reading Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?→

Android application pen testing

Posted on January 16, 2018 by Rashmi Mehta

I have a mobile application with SSL pinning, with root detection enabled and source code Obfuscated. How can I exploit it?

Continue reading Android application pen testing→

Should Subject Public Key Information be the same in 2 different certificates created from the same CSR?

Posted on December 21, 2017 by Omer Levi Hevroni

Recently, I’ve worked on setting certificate pinning for our mobile app. I’m using the hash of the Subject Public Key Information (SPKI) for the pinning. Now, I was under the impression that SPKI will be the same if I’ll crea… Continue reading Should Subject Public Key Information be the same in 2 different certificates created from the same CSR?→

MITM Vulnerabilities Found in Mobile Banking Apps

Posted on December 7, 2017 by Lucian Constantin

A team of researchers has found issues with the validation of TLS certificates for mobile banking and other security-focused applications that could allow man-in-the-middle (MITM) attackers to decrypt their traffic. Some of the apps are from high-profi… Continue reading MITM Vulnerabilities Found in Mobile Banking Apps→

Banking Apps Found Vulnerable to MITM Attacks

Posted on December 7, 2017 by Tom Spring

Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile banking apps that left customers vulnerable to man-in-the-middle attacks. Continue reading Banking Apps Found Vulnerable to MITM Attacks→