Security Vulnerabilities in Certificate Pinning
New research found that many banks offer certificate pinning as a security feature, but fail to authenticate the hostname. This leaves the systems open to man-in-the-middle attacks.
From the paper:
Abstract: Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a high security certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.
News article.
Petre Peter • December 8, 2017 10:44 AM
Remember! “Quis custodiet ipsos custodes”. i don’t remember when was the last time i verified the verifier. i am just not ready to trade convenience or risk retaliation. Certificates are a good idea but the last US election did not, peacefully, convince me that the losing side lost. At a certain level, verification relies on multiplication which is related to retaliation. In this level, quantity triumphs over quality and stagnation becomes the destination. For me, this triumph is the current definition for certificate until i learn how to write and store my own records the beginning of proving that my liver is working.