Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Matthew McPherrin <mmc-tNvXhFWuUApWk0Htik3J/w <at> public.gmane.org>
Subject: CVE request - OkHttp Certificate Pining Bypass
Newsgroups: gmane.comp.security.oss.general
Date: Wednesday 10th February 2016 21:35:17 UTC (about 1 year ago)
A vulnerability was discovered in OkHttp that allows an attacker to bypass
certificate pinning. OkHttp did not validate that the pinned certificate
was in the chain to a trusted certificate authority.

This resulted in an attacker being able to present a certificate chain with
a certificate issued by one trusted certificate authority, and additionally
including the pinned certificate authority. Because the pinned certificate
was present, and the certificate was issued by a trusted certificate
authority, the server's certificate was accepted. However, it should not
have been accepted as the pinned certificate was not in the trust chain.

This allows an attacker to obtain a certificate from a non-pinned but
trusted CA, then have OkHttp connect to that server, bypassing certificate
pinning.
 
CD: 4ms