SSL Pinning and/or CA Restriction Support #307

Open
jakehow opened this Issue Feb 26, 2012 · 2 comments

Projects

None yet

2 participants

@jakehow
jakehow commented Feb 26, 2012

I am not sure if this is possible with the frameworks available in iOS, but thought this may be a good place for discussion.

For background see: http://www.imperialviolet.org/2011/05/04/pinning.html
and: http://tools.ietf.org/html/draft-evans-palmer-hsts-pinning

We would like to be able to limit SSL communication in our application to using specified certificates, in order to eliminate the risks mentioned in the imperial violet article such as a rooted CA issuing a certificate to a rogue third party.

@jogu
Collaborator
jogu commented Feb 26, 2012

There's some discussion about how a similar sounding concept might be implemented here:

http://groups.google.com/group/asihttprequest/browse_thread/thread/63282c47943a2f95?pli=1

With the way ASIHTTPRequest is written, it doesn't seem to be entirely possible (you can't verify the certificate before data is sent to the server). I don't know if any of the NSURLConnection based approaches would allow this to be done.

@jakehow
jakehow commented Feb 27, 2012

Cool, also found this which may help frame the issue:

http://blog.securemacprogramming.com/2011/12/on-ssl-pinning-for-cocoa-touch/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment