Hello! Is there a way to pin certificate/pk used for encryption negotiation[1]? So no malware can just set self-singed cert as "allowed" on user's system and snoop all https traffic.
[1]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
Certificate pinning
Re: Certificate pinning
Hi,
I understand the "key pinning" issue and I don't think this is supported in any of the client side languages.
We base the security of the process and API provided by each platform, e.g. .Net or Java, so unless they provide a native support for key-pinning, I don't it's feasible.
This part I don't get.
The certificate is on the server side, not the client. So I am not sure what malware are we talking about. If a malware gets installed on a server it's always bad, regardless of what kind of attack it performs...
cheers
I understand the "key pinning" issue and I don't think this is supported in any of the client side languages.
We base the security of the process and API provided by each platform, e.g. .Net or Java, so unless they provide a native support for key-pinning, I don't it's feasible.
So no malware can just set self-singed cert as "allowed" on user's system and snoop all https traffic.
This part I don't get.
The certificate is on the server side, not the client. So I am not sure what malware are we talking about. If a malware gets installed on a server it's always bad, regardless of what kind of attack it performs...
cheers
Who is online
Users browsing this forum: No registered users and 103 guests