Certificate pinning

Transcript

1. None

2. You should pin anytime you want to be relatively certain

   of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time… OWASP, Mobile top 10

3. Certificate pinning ? ► Le « certificate pinning » permet

   d’associer une clé publique à un serveur Web spécifique ► En se basant uniquement sur le magasin de certificats, une application est vulnérable aux attaques de type MITM (ajout d’un certificat frauduleux, « fake » AP, compromissions des AC de confiances*, ...) * https://www.certificate-transparency.org, https://github.com/Babylonpartners/certificate-transparency-android

4. Où ? Quoi ? Comment ? f7 8a 3a 62

   0b 4b 2b 7f 4d 46 f4 ae db e8 e6 33

5. AWS recommends against using certificate pinning because it introduces a

   potential availability risk… AWS, blog security

6. HPKP DEPRECATED HTTP Public Key Pinning

7. Why You Shouldn't Use The Wi-Fi In Your Airbnb

8. @Frida CodeShare

9. Obfuscation Certificate Pinning (custom) Secure channel

10. None