Jump to content

Change mobile app server certificate pinning behaviour


Recommended Posts

To make the app server work you have to pin its certificate through the main Passwordstate service, which currently seems to use the certificate itself. I'm using Let's Encrypt for my certificates, so that means every few months I have to clear the pin, re-query for the new cert and tell all users to re-pair their apps. And even if you use "real" certs that have a validity period of a couple years, once that expires you'll have exactly the same problem.

 

I propose that instead of generating some form of hash of the certificate, Passwordstate should use the SPKI fingerprint instead. As far as I know this is dependent on the private key, so as long as that doesn't change the output will be the same. This is how HTTP Public Key Pinning works as well, as to not to break all clients that have already cached the previous pin when the cert rotates. Many Let's Encrypt clients (or ACME in general) can be told to reuse an existing private key.

Link to comment
Share on other sites

  • 2 months later...

Hi Guys,

 

Thanks for your request, but we will not be changing the behaviour for this. We have engaged with an external Cyber Security company for the development of the App Server, and they also recommended the current method we implemented.

 

As certificates are quite cheap, we instead recommend purchasing a certificate, instead of using Let's Encrypt.

Regards

Click Studios

Link to comment
Share on other sites

 Share

×
×
  • Create New...