Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Certificate Pinning using flutter #16066

Closed
long1eu opened this issue Mar 29, 2018 · 13 comments
Closed

SSL Certificate Pinning using flutter #16066

long1eu opened this issue Mar 29, 2018 · 13 comments
Labels
dependency: dart Dart team may need to help us

Comments

@long1eu
Copy link

long1eu commented Mar 29, 2018

I want to add a trusted certificate to my HttpClient, but this is not very efficient. Certificates expire so I want to pin the public key. Is there a way to do this in dart/flutter?
@mit-mit mit-mit mentioned this issue May 14, 2018
Closed
@us3soap
Copy link

us3soap commented May 29, 2018

We publish a plugin : https://pub.dartlang.org/packages/ssl_pinning_plugin to check pinning with fingerprint (SHA-1).

@jamespet77
Copy link

Is this available yet? Documentation?

@us3soap
Copy link

us3soap commented Aug 2, 2018

It's operational, we are writing the documentation for the release.

@jamespet77
Copy link

That would be great. So you have a new release for the 0.5.7 beta? It doesn't seem to be compatible with the latest flutter beta. getting error:

The current Flutter SDK version is 0.5.7.

Because ssl_pinning_plugin requires Flutter SDK version ^0.4.4, version solving failed.

@zoechi zoechi added the dependency: dart Dart team may need to help us label Aug 2, 2018
@zoechi
Copy link
Contributor

zoechi commented Aug 2, 2018

dart-lang/sdk#33115 mentions that this is now fixed in Flutter
Can anyone confirm?

@zoechi zoechi added the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Aug 2, 2018
@long1eu
Copy link
Author

long1eu commented Aug 2, 2018

yes it works

@no-response no-response bot removed the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Aug 2, 2018
@zoechi zoechi closed this as completed Aug 2, 2018
@zoechi
Copy link
Contributor

zoechi commented Aug 2, 2018

Great! Thanks for the update @long1eu 👍

@giaur500
Copy link

giaur500 commented Feb 8, 2019

Well, as I can see, only sha1 is supported. This is a shame, sha1 is very weak. Any thoughts to add sha256? Sha1 is not even worth

@zoechi
Copy link
Contributor

zoechi commented Feb 10, 2019

@giaur500 please create a feature request in https://github.com/dart-lang/sdk/issues

@sandeepcmsm
Copy link

sandeepcmsm commented Feb 18, 2019
edited
Loading

@zoechi @mit-mit thanks for certficate pinning support. Can the SecurityContext validate a public key instead of a certificate? This is more future proof as certificate pinning comes with issues of certificate expiry. or can X509Certificate include public key sha256 signature. Since most of native apps are build on public key pinning. This has become one major blockage for our client. Can we reopen the current issue and dart-lang/sdk#33115 . since there has not been any activity on dart sdk issue from months.

@pa1more
Copy link

pa1more commented Jun 6, 2019

Is this issue resolved for SHA2 certificates ?

I used webview in my application and it stopeed after i installed ssl on my server.

@mleonhard
Copy link
Contributor

mleonhard commented Sep 26, 2019
edited
Loading

The ssl_pinning_plugin makes its own HTTPS request and checks the certificate. It does not check certificates used by the app's real requests. I see no way to accomplish that with the plugin. This means that apps using the plugin are still vulnerable to MITM.

Edit: I requested a fix in macif-dev/ssl_pinning_plugin#3 .

@sahil-oyo sahil-oyo mentioned this issue Apr 21, 2020
Open
@github-actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
dependency: dart Dart team may need to help us
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@jamespet77 @zoechi @mleonhard @sandeepcmsm @pa1more @us3soap @long1eu @giaur500