Hacker News new | ask | show | jobs
by unluckier 3966 days ago
It's pretty simple if the OS you're using allows you to install a trusted root CA certificate.
2 comments
MichaelGG 3966 days ago
Except apps like this should probably not be using the OS CA store, and instead just pin their own CA cert. Doesn't seem to be the case here but in general I think pinning is getting more adoption, isn't it?
link
ultramancool 3966 days ago
Not really, heck, on Android and iOS around 40% of banking apps don't even check the certificate at all.

Most people, even most developers seem to be pretty clueless with this stuff.

link
jacobwil 3966 days ago
The paper won't be available to everyone until Wednesday at [1], but:

> Altogether, of the 639,283 [Android] apps in our data-set, 45 implement pinning.

[1]: https://www.usenix.org/conference/usenixsecurity15/technical...

link
yrro 3966 days ago
> on Android and iOS around 40% of banking apps don't even check the certificate at all.

Please name and shame, this sounds pretty surprising!

link
sprkyco 3966 days ago
List of Android SSL MITM vulnerable apps: https://samsclass.info/128/proj/popular-ssl.htm

Highly recommend any material on the main site as well. One of the few legit infosec professors I have ever interacted with.

link
unluckier 3966 days ago
At least for Android: https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w...

There are several banking-related apps listed here.

link
ultramancool 3966 days ago
Heard that on an old security now episode, https://www.grc.com/sn/sn-443-notes.pdf is the best I have unfortunately, there's mention of it near the bottom there.
link
wang_li 3965 days ago
> just pin their own CA cert.

No. No application or OS should impose it's own CA on an end user without choice. I get the importance of encrypted traffic flowing over the internet, but I also have concerns about traffic leaving my own network. Neither at my home or my business do I want an encrypted stream of traffic flowing out of my network without my being able to inspect the contents and know who the recipient is.

link
dec0dedab0de 3966 days ago
And it would break at any corporation that does a MITM on their own employees to monitor SSL traffic.
link
unluckier 3966 days ago
What do you mean "apps like this" ? The OP is talking about the Windows 10 OS, which uses the OS CA store.
link
MichaelGG 3966 days ago
The app in question is the search UI/Cortana. It has no need to use the OS store and could easily pin to MS's CA.
link
chatmasta 3966 days ago
Doesn't work with cert pinning.
link