http_certificate_pinning icon indicating copy to clipboard operation
http_certificate_pinning copied to clipboard
verified publisher icon diefferson

feat: (android) Support pinning on the certificate chain

Open jifang opened this issue 1 year ago • 1 comments

Added support for pinning on the server's root and intermediate certificates. Previously, Android only supported pinning on the leaf certificate. This change improves operational flexibility by allowing pinning on the certificate chain, reducing downtime when issuing new server certificates.

#54

jifang avatar Mar 11 '25 11:03 jifang

Hi @jifang, This seems a good improvement, but when we enable the validate root and intermediate certificates we are opening to any certificate from the same provider be valid, which I mentioned on this issue. To summarize, pining the root or intermediate certificate in your app will give you the flexibility to not update the certificate when it expires, but open the door to the certificate pinning attacks.

For example, this root certificate is valid for any certificate generated by Let's encrypt:

9D 7C 3F 1A A6 AD 2B 2E C0 D5 CF 1E 24 6F 8D 9A E6 CB C9 FD 07 55 AD 37 BB 97 4B 1F 2F B6 03 F3

You can check it with the sites https://www.mozilla.org and https://www.noodle.cx both will considered as secure using this fingerprint.

diefferson avatar Mar 14 '25 13:03 diefferson