Sildaekar Posted May 14, 2015 Posted May 14, 2015 Ok, so I know the basics of SSL, as well as HSTS but I recently got to thinking about MitM attacks using some sort of proxy such as mitmproxy. The proxy would basically generate self-signed certs and send them to the client, and yes I know there would be that ugly popup. I recently, however, came across cert pinning and was wondering just how widespread this is? I mean for example if I visited https://google.com/ and attempted to sniff the password I entered using the method stated above would certificate pinning prevent this? Also just how widespread is this practice? My apologies but this is my first time hearing of this and all I know is what I read over at the security stackexchange. Quote
cooper Posted May 14, 2015 Posted May 14, 2015 Further reading. Basically, certificate pinning is a way by which the server ensures someone doesn't switch the cert on the client while the server cert is still valid, thus thwarting an MitM attack that involves SSL. It's like HSTS on steroids and the same rules apply: if you MitM before first contact, you can be successful. In all other cases your deception will be discovered by the client and it will subsequently refuse to communicate with you. Quote
Sildaekar Posted May 15, 2015 Author Posted May 15, 2015 Thanks for the further reading and extra info Cooper....you're awesome! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.