Skip to content

Commit 9897053

Browse files
chrisballingerchrisballinger
committed
blog post about ssl pinning
1 parent 97835bb commit 9897053

File tree

1 file changed

+24
-0
lines changed

1 file changed

+24
-0
lines changed

_posts/2014-2-22-importance-of-ssl-pinning.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
---
2+
layout: post
3+
4+
title: The Importance of SSL Pinning
5+
category: blog
6+
7+
author:
8+
name: Chris Ballinger
9+
twitter: chrisballingr
10+
gplus: 110173710196322914492
11+
bio: Lead Developer
12+
---
13+
14+
![SSL Pinning Support](/images/ssl_pinning.jpg)
15+
16+
You may have noticed there was a [very important security update](http://support.apple.com/kb/HT6147?viewlocale=en_US&locale=en_US) for iOS devices lately that patches a flaw allowing the complete bypass of certificate checks for any apps that use the default system-wide TLS library, Security.framework. There is a pretty good description of the vulnerability [here](https://www.imperialviolet.org/2014/02/22/applebug.html), if you're interested.
17+
18+
If you use the latest versions of ChatSecure you are now using a feature called SSL pinning that allows for you to manually inspect and remember the SSL certificates of the servers you connect to, bypassing the CA system entirely.
19+
20+
**However**, if you do not update to iOS 7.0.6 or higher and you are being actively [MitMed](https://en.wikipedia.org/wiki/Man-in-the-middle_attack), the alert dialog ([pictured above](/images/ssl_pinning.jpg)) may provide misleading information in the form of a green ✓ instead of a red ✗ with the appropriate certificate error. This is because XMPPFramework's socket library, GCDAsyncSocket, relies on Apple's faulty SSL verification routine. Fortunately the displayed SHA-1 hash will still not match, so it is especially important to check the double-check the fingerprint of any new certificate before you store it.
21+
22+
It is especially important to update all of your devices as soon as possible because apps that don't implement certificate pinning will not display any warning at all when your connection is compromised. Unfortunately most apps do not implement this functionality, [including many banking apps](http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html).
23+
24+
Additionally, if you are using OS 10.9.1, please avoid using Safari (or other programs that use Security.framework) until this vulnerability is patched on OS X as well.

0 commit comments

Comments
 (0)