This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Certificate and Public Key Pinning"

From OWASP
Jump to: navigation, search
(Operational considerations)
(Android example contains code that breaks apps: new section)
Line 77: Line 77:
  
 
[[User:Michael Goodwin|Michael Goodwin]] ([[User talk:Michael Goodwin|talk]]) 06:20, 2 April 2015 (CDT)
 
[[User:Michael Goodwin|Michael Goodwin]] ([[User talk:Michael Goodwin|talk]]) 06:20, 2 April 2015 (CDT)
 +
 +
== Android example contains code that breaks apps  ==
 +
 +
The Android code example contains a section where it checks that the authtype equals "RSA".  F5 recently changed their default authtypes to RSA-DHE.  This meant that when we upgraded our F5's in production, all of our Android mobile apps broke.  Obviously a big issue.
 +
 +
What is the compelling reason for this line of code:
 +
 +
if (!(null != authType && authType.equalsIgnoreCase("RSA"))) {
 +
      throw new CertificateException("checkServerTrusted: AuthType is not RSA");
 +
    }

Revision as of 16:57, 14 April 2015

Past Failures

This section is 'further reading' for those interested in surveying the landscape.

Operational considerations

We use certificate pinning very commonly in my organization (yay for us) but we recently hit a problem when we were routinely changing a certificate on a service. The development team for one of the client applications and implemented pinning, but they had not considered what would happen when the certificate changed.

The majority of our clients support 2 pinned certificates at a time, so when we want to change the server cert the process is

1) Configure the new server cert in the client alongside the old one 2) Replace the old cert on the server 3) Configure the old cert from the client

This way we can do the cert rotation usually with no downtime for the client.

The team in question did not do this, which meant they had to have a few minutes of downtime (this is important as we have a demanding SLA) and also it meant that we had to do the change out of office hours to minimize the impact.

So, my suggestion is that we expand this page to include a section on "Operational considerations" that outlines the recommended approach.

Thoughts?

If no-one objects, I will add the new section in a couple of days.

Michael Goodwin (talk) 06:20, 2 April 2015 (CDT)

Android example contains code that breaks apps

The Android code example contains a section where it checks that the authtype equals "RSA". F5 recently changed their default authtypes to RSA-DHE. This meant that when we upgraded our F5's in production, all of our Android mobile apps broke. Obviously a big issue.

What is the compelling reason for this line of code:

if (!(null != authType && authType.equalsIgnoreCase("RSA"))) {

     throw new CertificateException("checkServerTrusted: AuthType is not RSA");
   }