store: add basic certificate pinning #2316

mvo5 · Nov 21, 2016

Some questions we need to discuss:

What endpoints to pin certs? strawman:
a) login.ubuntu.com because it gets passwords
b) search.apps.ubuntu.com because the client trusts the data without additional checks
c) NOT public.apps.ubuntu.com - we check snaps based on assertions
d) NOT assertions.ubuntu.com - we cross check assertions anyway
e) myapps.developer.ubuntu.com - icons?
public.apps.ubuntu.com redirects to a https internapcdn.net site for snap downloads:
a) do not use https for snapdownloads
b) disable cert pinning for snap downloads
how to manage whitelist of pinned certs?
a1) create new valid-certs-assertions
a2) disable cert pinning for assertions.ubuntu.com
a3) refresh valid-certs-assertion regularly
a4) use content of valid-cert-assertion for the cert checks

mvo5 · Nov 23, 2016

Closing for now as there is more work here

mvo5 added some commits Nov 21, 2016

add basic certificate pinning

26c2169

Merge remote-tracking branch 'upstream/master' into feature/cert-pin

ab91cd1

add certs for login.ubuntu.com,myapps.ubuntu.com

4082cd2

mvo5 closed this Nov 23, 2016

snapcore/snapd

store: add basic certificate pinning #2316

mvo5 commented Nov 21, 2016

mvo5 added some commits Nov 21, 2016

mvo5 commented Nov 23, 2016

mvo5 closed this Nov 23, 2016

snapcore/snapd

Join GitHub today

store: add basic certificate pinning #2316

Conversation

mvo5 commented Nov 21, 2016

mvo5 added some commits Nov 21, 2016

mvo5 commented Nov 23, 2016

mvo5 closed this Nov 23, 2016