Deprecate SSL pinning and trust chain verification. (#534)#1
Merged
vdbt merged 1 commit intovdbt:masterfrom Oct 23, 2017
Merged
Deprecate SSL pinning and trust chain verification. (#534)#1vdbt merged 1 commit intovdbt:masterfrom
vdbt merged 1 commit intovdbt:masterfrom
Conversation
Oh boy. Here's a controversial change.  Let's give a bit of backstory. A few weeks ago, Facebook was contacted by a whitehat hacker (the good guys) about a security vulnerability here in SocketRocket. For those of you who are truly interested in what that security flaw was, it is essentially the same flaw as outlined here: https://www.synopsys.com/blogs/software-security/ineffective-certificate-pinning-implementations/ So, we were faced with a choice - quietly push out a patch, and hope that eventually existing applications updated, or be transparent and admit we screwed up. This is us admititng we screwed up. And while yes, we could probably fix the implementation. But we talked internally, and decided that the best approach here is to completely remove the option for pinning. For all of our existing users that use certificate pinning, while we understand that in the past there has been a very large barrier to entry with getting a CA to issue a certificate. However, since the rollout of CAs like LetsEncrypt, there's become an ever-dwindling reason to actually use self-signed or unsigned certificates. For this reason, we're going to go ahead and deprecate the APIs that allow SSL pinning and disabling trust chain verification. The pinning APIs are now going to throw an exception when invoked, and the trust chain APIs have deprecation warnings. If you are a user of these APIs, and you for some reason **CANNOT** use a trust chain validated certificate, PLEASE speak up. While we cannot think of any reason to use those kinds of certificates, it's entirely possible we overlooked something. We'll leave this pullrequest unmerged for a two week period (Monday, August 28th, 2017), at which point, unless we have feedback convincing us otherwise, we will go ahead with this change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Oh boy. Here's a controversial change.
Let's give a bit of backstory.
A few weeks ago, Facebook was contacted by a whitehat hacker (the good
guys) about a security vulnerability here in SocketRocket.
For those of you who are truly interested in what that security flaw
was, it is essentially the same flaw as outlined here:
https://www.synopsys.com/blogs/software-security/ineffective-certificate-pinning-implementations/
So, we were faced with a choice - quietly push out a patch, and hope
that eventually existing applications updated, or be transparent and
admit we screwed up.
This is us admititng we screwed up. And while yes, we could probably fix
the implementation. But we talked internally, and decided that the best
approach here is to completely remove the option for pinning.
For all of our existing users that use certificate pinning, while we
understand that in the past there has been a very large barrier to entry
with getting a CA to issue a certificate.
However, since the rollout of CAs like LetsEncrypt, there's become an
ever-dwindling reason to actually use self-signed or unsigned
certificates.
For this reason, we're going to go ahead and deprecate the APIs that
allow SSL pinning and disabling trust chain verification. The pinning
APIs are now going to throw an exception when invoked, and the trust
chain APIs have deprecation warnings.
If you are a user of these APIs, and you for some reason CANNOT use
a trust chain validated certificate, PLEASE speak up. While we cannot
think of any reason to use those kinds of certificates, it's entirely
possible we overlooked something. We'll leave this pullrequest unmerged
for a two week period (Monday, August 28th, 2017), at which point,
unless we have feedback convincing us otherwise, we will go ahead with
this change.