|
|
|
|
|
|
by varenc
1166 days ago
|
|
|
Ehh, I don't think it'd be that hard to implement cert pinning against OpenAI's APIs. You just need some very permissive pinning, where you require any publicly trusted CA, to prevent MITM attacks. Basically only trust the root CAs a phone already trusts by default. You don't need coordination between the server and your client to implement this. All you have to do is prevent your TLS calls from trusting any certs signed by manually trusted CAs that Proxyman/Charles/etc might have had the user add. Of course, that'll only delay the API keys leaking. With a jailbroken iPhone and Frida you can effectively disable cert pinning checks. Or extract the keys from memory, or binary analysis, etc. |
|
|
Yeah but I have certs signed by trusted root authorities a la letsencrypt?