No verification of the provided SSL certificate #934
Comments
|
👍 An example project can be found here: |
|
👍 for pinning certs. It would be nice to also be able to pin certificates of your own OwnCloud servers by putting the hash in a settings option. This way you do not have the proposed "Trust on first use" approach as suggested by @canihavesomecoffee. The TOFU way has some problems, when web admins may switch the certificates - which would cause the sites to be inaccessible. Because HPKP is actually a standard for pinning certificates on first use. It is proven to work in current browsers and it mitigates the "certificate switch" issue. (Read something about HPKP to see how) BTW: The title implies bad things. Actually the cert is verified (against the root certs), but no key pinning is used. So the title should be changed to "Implement key pinning for HTTPS" or something similar. |
Expected behaviour
The SSL certificate should be checked against a stored one, to prevent MITM attacks that have a wildcard/global valid certificate. This is implemented by a lot of companies, including competitors like DropBox (https://blogs.dropbox.com/dropbox/2014/06/weve-got-your-back/).
Actual behaviour
OwnCloud app runs as usual, not doing anything.
Steps to reproduce
Prerequisites:
Environment data
Android version: global (4.2.2 in my case)
Device model: global (Acer V370)
Stock or customized system: Stock
ownCloud app version: 1.7.0
ownCloud server version: 8.0.2
Logs
Web server error log
N/A
ownCloud log (data/owncloud.log)
N/A
Proposed solution
My proposal to fix this issue would be storing the certificate (or signatures of them at least) when you are configuring the app (first login), and subsequently check the provided certificate of the server before sending any important data. If the certificate does not match, warn the user or fail the connection.
The text was updated successfully, but these errors were encountered: