Allowing API Calls to Non-listed PublicKeys

[Ali-Haider-CreditBook]

I am facing an issue where it is also allowing API calls to other hosts that I didn't list down while initializing.

[frw]

I am facing an issue where it is also allowing API calls to other hosts that I didn't list down while initializing.

Hi @Ali-Haider-CreditBook, apologies, just saw this discussion. To clarify, is the intended behavior you're looking for to prevent network connections to other hosts that are not listed in the SSL pinning library? If so, this library does not support that behavior as the primary purpose is to verify the server you're communicating with is associated with the right certificates to prevent MitM attacks.

You can read more about SSL pinning here: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning

Out of curiosity, why do you need to prevent communication with other hosts?

[idanCohenDev]

Hey @frw,

When i add the code provided in the documentation like so:

 await initializeSslPinning({
    'google.com': {
      includeSubdomains: true,
      publicKeyHashes: [
        'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
        'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
        'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
        'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
        'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',
      ],
    },
  });

And try to access for example the following url https://api.sampleapis.com/wines/rose i can still communicate with it even tough a different ssl certificate is pinned to the application. Is it the expected behavior?

Thank you!

[frw]

@idanCohenDev

Yes this is the current expected behavior. Domains where you do not set a pinning configuration will be ignored and allowed to connect (i.e. the default decision is to allow the connection).
If there is a specific use case for blocking connections to domains in the pinning configuration, you can add on to this discussion: #183