You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Jacob Weber (JIRA)" <ji...@apache.org> on 2014/04/18 02:40:15 UTC

[jira] [Commented] (CB-3498) Certificate Pinning

    [ https://issues.apache.org/jira/browse/CB-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13973637#comment-13973637 ] 

Jacob Weber commented on CB-3498:
---------------------------------

Just wondering if there's any work happening on this. I saw some discussion on the mailing list a while ago, but nothing else. I need to add pinning support to my app, and I'm wondering if I should wait for an "official" plugin, or go for something like [this|https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin].

And an additional feature request, if this gets done: would it be possible to have a JS hook to add valid certificates? I'm thinking of a scenario where you have one pinned self-signed cert initially. You use that to make an AJAX call to a server that you control, which returns a list of other valid certs, for servers that your app will connect to. That way you can update the certs your app can use, without forcing users to update the app. And since your pinned cert is self-signed, you can make it valid for a long time. Would this make sense (and be secure)?

> Certificate Pinning
> -------------------
>
>                 Key: CB-3498
>                 URL: https://issues.apache.org/jira/browse/CB-3498
>             Project: Apache Cordova
>          Issue Type: Wish
>          Components: Android, iOS
>    Affects Versions: 2.7.0
>            Reporter: mgill
>            Priority: Minor
>              Labels: certificate, security
>
> It would be a handy feature to have certificate pinning supported
> Examples:
>     https://github.com/iSECPartners/ssl-conservatory/tree/master/ios
>     https://github.com/moxie0/AndroidPinning



--
This message was sent by Atlassian JIRA
(v6.2#6252)