https://wiki.owasp.org/index.php?action=history&feed=atom&title=Talk%3APinning_Cheat_Sheet 2026-04-12T19:12:10Z Revision history for this page on the wiki MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=Talk:Pinning_Cheat_Sheet&diff=144281&oldid=prev 2013-02-14T02:32:06Z

<p>Formatting</p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 02:32, 14 February 2013</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l8" >Line 8:</td> <td colspan="2" class="diff-lineno">Line 8:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Governments Engage in Interception</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Governments Engage in Interception</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>** http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>** http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Vendors Provide Interception Taps</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">* </ins>Vendors Provide Interception Taps</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>** http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>** http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Governments Use Interception Taps</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Governments Use Interception Taps</div></td></tr> </table>

Jeffrey Walton https://wiki.owasp.org/index.php?title=Talk:Pinning_Cheat_Sheet&diff=144280&oldid=prev 2013-02-14T02:31:20Z

<p>Created page with &quot;== Past Failures == This section is &#039;further reading&#039; for those interested in surveying the landscape. * Governments Want/Require Interception ** Certified Lies: Detecting a...&quot;</p> <p><b>New page</b></p><div>== Past Failures ==<br /> <br /> This section is 'further reading' for those interested in surveying the landscape.<br /> <br /> * Governments Want/Require Interception<br /> ** Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL, cryptome.org/ssl-mitm.pdf<br /> ** http://www.dailymail.co.uk/indiahome/indianews/article-2126277/No-secrets-Blackberry-Security-services-intercept-data-government-gets-way-messenger-service.html<br /> * Governments Engage in Interception<br /> ** http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/<br /> Vendors Provide Interception Taps<br /> ** http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html<br /> * Governments Use Interception Taps<br /> ** https://www.eff.org/nsa-spying<br /> * Mobile Interception is Patented<br /> ** Lawful interception for targets in a proxy mobile internet protocol network, http://www.google.com/patents/EP2332309A1<br /> * Handset manufactures add trusted roots<br /> ** http://gaurangkp.wordpress.com/tag/nokias-man-in-the-middle-attack/<br /> * Carriers can add trusted roots<br /> ** No reference yet, but http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/<br /> * CAs can become compromised<br /> ** http://isc.sans.edu/diary.html?storyid=11500<br /> * Researchers can create Rogue CAs<br /> ** http://www.win.tue.nl/hashclash/rogue-ca/<br /> * DNS can become compromised<br /> ** http://forums.theregister.co.uk/forum/2/2011/09/05/dns_hijack_service_updated/<br /> * Physical plant can become compromised<br /> ** http://www.pcworld.com/article/119851/paris_hilton_victim_of_tmobiles_web_flaws.html<br /> * Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)<br /> ** http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/<br /> * Can't trust some CAs – they will sell you out and issue subordinate CAs for money<br /> ** http://www.net-security.org/secworld.php?id=12369<br /> ** http://www.zdnet.com/trustwave-sold-root-certificate-for-surveillance-3040095011/<br /> * Can't trust some browsers – they will sell you out and elide their responsibility<br /> ** https://bugzilla.mozilla.org/show_bug.cgi?id=724929<br /> * Can't trust some browsers – they include questionable certificates out of the box<br /> ** https://bugzilla.mozilla.org/show_bug.cgi?id=542689<br /> * Can't override some browser's CA list<br /> ** http://my.opera.com/community/forums/topic.dml?id=1580452<br /> * Can't override OS's CA list (burned into ROM)<br /> ** http://support.google.com/android/bin/answer.py?hl=en&amp;answer=1649774<br /> * CRL/OCSP does not work as expected/intended<br /> ** http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html<br /> ** https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion<br /> * User will break it too (not just bad guys)<br /> ** http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-app-purchases.html<br /> ** http://www.h-online.com/security/news/item/Apps-for-Windows-8-easily-hacked-1767839.html<br /> * Interception proxies add additional risk<br /> ** http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html<br /> * HTTPS is broken<br /> ** http://www.thoughtcrime.org/software/sslstrip/<br /> * PKI is broken<br /> ** www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf<br /> * The Internet is Broken :)<br /> ** http://blog.cryptographyengineering.com/2012/02/how-to-fix-internet.html</div>

Jeffrey Walton