Certificate Pinning with OkHttp

Now that you know how to run a man-in-the-middle attack, you want to know how to prevent one. The way we’re going to do that is by “pinning” your certificate.

How does it work?

HTTPS begins its connection by verifying the certificate that’s being presented by the server. It checks all of the signatures in the chain of trust, and that the root certificate authority (CA) is any one of the trusted roots installed in your OS. What we do with pinning is to add one more check — the client checks that one of the certificates in the chain of trust is exactly the certificate it’s expecting.

The man-in-the-middle attack that we ran relied on installing a bogus trusted root CA in the operating system, which mitmproxy used to create a bogus chain of trust. But if you’ve pinning the real certificate, this attack fails because mitmproxy can’t issue a bogus certificate with your server’s real key.

OK let’s do it

OkHttp3

    1. Set up a certificate pinner on your OkHttpClient with a dummy signature for your domain:
    2. Run with that certificate pinner, you’ll get an SSLPeerUnverifiedException showing the expected hash (your bogus one) and the actual hashes for each certificate in the chain.certificate-pinning-failure
    3. Replace the bogus hash in your code with the hash of the certificate you want to pin, and run it again.
    4. Now try running with mitmproxy again to verify that it fails.
OkHttp2
  1. Same steps as above, but here’s the code for your dummy pinner:

Let’s talk about some of the things you need to think about:

Renewals – certificates aren’t forever

When you look at any of the certificates in your chain, you’ll notice that they all have expiration dates. Sometime before that expiration date, your system administrator is (hopefully) going to renew that certificate – that is, they’ll get a new certificate for your server. If you’re not planning ahead and talking to your sysadmin, this could break your connections.

Pin the whole certificate or just the public key?

If you were manually verifying the certificate, you might think of hashing the whole certificate and ensuring that matches your expected value. That’s going to be brittle, because if the certificate gets renewed and you’re pinning to the entire certificate, your pin is going to break.

So in the example above, OkHttp is pinning the public key info, not the whole certificate. So if the certificate gets renewed and the new certificate has the same public key, your pin should continue to work fine.

Which certificate in the chain to pin?

You can pin any of the certificates in your chain of trust – the root CA, and intermediate CA, or your server’s certificate. Let’s look at some pros and cons of each.

If you pin one of the CA certificates, then as long as your server gets a new certificate from the same CA, it doesn’t matter if your certificates public key changes. This is potentially useful if your server is hosted by somebody else and you might change providers. The downside is you’re locked into that CA. You have to get your renewed certificate from the same CA, and their public key has to be unchanged.

On the other hand, if you pin your server’s certificate, then you can get your renewed certificate from any CA you want, as long as your server’s public key is unchanged.

Bottom line: talk to your system administrator to ensure that your pinning won’t break when they renew the certificate.

UPDATE — see also:

Author: jeb

Views expressed here are my own and do not necessarily reflect the views of my employer.

One thought on “Certificate Pinning with OkHttp”

Comments are closed.