This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Pinning Cheat Sheet
From OWASP
Past Failures
This section is 'further reading' for those interested in surveying the landscape.
- Governments Want/Require Interception
- Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL, cryptome.org/ssl-mitm.pdf
- http://www.dailymail.co.uk/indiahome/indianews/article-2126277/No-secrets-Blackberry-Security-services-intercept-data-government-gets-way-messenger-service.html
- Governments Engage in Interception
- Vendors Provide Interception Taps
- Governments Use Interception Taps
- Mobile Interception is Patented
- Lawful interception for targets in a proxy mobile internet protocol network, http://www.google.com/patents/EP2332309A1
- Handset manufactures add trusted roots
- Carriers can add trusted roots
- No reference yet, but http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/
- CAs can become compromised
- Researchers can create Rogue CAs
- DNS can become compromised
- Physical plant can become compromised
- Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)
- Can't trust some CAs – they will sell you out and issue subordinate CAs for money
- Can't trust some browsers – they will sell you out and elide their responsibility
- Can't trust some browsers – they include questionable certificates out of the box
- Can't override some browser's CA list
- Can't override OS's CA list (burned into ROM)
- CRL/OCSP does not work as expected/intended
- User will break it too (not just bad guys)
- Interception proxies add additional risk
- HTTPS is broken
- PKI is broken
- www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf
- The Internet is Broken :)