Hacker News new | ask | show | jobs
by londons_explore 633 days ago
Apple could say "If you wanna talk HTTPS, you have to use our HTTPSClient class, and that only supports using the system certificate store and does not support pinning".

Or they could say "All apps that don't support custom certificates for https will be denied app store approval".
4 comments
lxgr 633 days ago
While you're at it, make sure to have them prohibit any encryption on top of HTTPS, or apps might just be hiding things in application-level encryption schemes!

Banning certificate pinning... Do we really need mandated insecurity by prohibiting apps from doing better than trusting all Apple-trusted CAs around the world?

link
saagarjha 633 days ago
They already do that to some extent, actually. Not as you mention, but because of US export compliance laws.
link
lxgr 633 days ago
Countless encrypted messenger apps, GPG implementations etc. beg to differ.
link
saagarjha 633 days ago
Beg
link
londons_explore 633 days ago
A better rule might be "You must use our HTTPSClient class, and it either uses the system+user trust stores, or optionally it uses an application supplied certificate authority+the user trust store".
link
derefr 633 days ago
Or you could ignore the self-signed aspect altogether, and instead give the OS VPN framework (where all network introspection stuff lives on iOS) a hook into the forced-choice HTTPS client — a hook that allows the active system VPN to say either “show me that before you encrypt it / after you decrypt it” or “don’t bother encrypting/decrypting that; I’ll handle it.”

Where, in the latter case, the TLS establishment is opaque, but then the VPN is handed the data that would be going through the TLS logic, plus an (also-opaque) handle to the established TLS-session RSA key, that it can use to finish the encryption/decryption process of each stream-chunk on behalf of the app, after doing whatever filtering / transformation / etc. it wants to do.

(Anyone remember Privoxy, the “MITM that works for you” that presaged most of the in-client features of Tor Browser? Same idea; just now with OS support.)

link
tadfisher 633 days ago
The only way to "not support pinning" is to prevent apps from inspecting the certificate chain. This will break much more than pinning.
link
jesterson 633 days ago
Why they would do that? They can't care less about what end user want, particularly in context we are discussing
link