Improve public key pinning #17
Comments
|
Also related: aio-libs/aiohttp#1185 |
|
Yeah, but HPKP is about dynamic pinning. This issue here is about a static (hardcoded) pin. |
|
Another good point made by @thorsteneckel: You still use SHA-1… |
|
|
|
Maybe @thorsteneckel could look into it? I think you've already looked into the code… |
|
I'll take the next free slot of time and create a PR. |
|
@rugk It was actually MD5 but don't tell anyone. 😨 |
|
@rugk is right about that one, pinning the fingerprint is sometimes not an option in production, since it might break the gateway without notice. Verifying the public key and backup key (via HPKP) would be the better approach. @thorsteneckel any news on a free timeslot? :) |
|
That's why verifying the fingerprint is turned off by default at the moment... which of course isn't ideal. |
|
Actually, the aiohttp devs do not really care for that feature here… Also remember aio-libs/aiohttp#1187 is about static key pinning (what we need here) and aio-libs/aiohttp#1185 about dynamic one (i.e. HPKP). And I would bet I know the argument they'll come up with if you urge them to implement HPKP or implement it yourself in a PR… |
The fingerprint will change from time to time and hard-coding it in this library we cannot forcibly deploy (unlike e.g. the Threema apps) is a surprising footgun since your services may suddenly fail (when Threema changes the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the public key) is also undesirable. Furthermore, we want users to use their custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove it. If you want to retain this feature, all you have to do is provide your own `aiohttp.ClientSession` in the following way: Connection(session=aiohttp.ClientSession( connector=aiohttp.TCPConnector(ssl=<fingerprint>))) See the aiohttp docs for details. Closes #17 Resolves #13 (by providing your own `SSLContext`)
The fingerprint will change from time to time and hard-coding it in this library we cannot forcibly deploy (unlike e.g. the Threema apps) is a surprising footgun since your services may suddenly fail (when Threema changes the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the public key) is also undesirable. Furthermore, we want users to use their custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove it. If you want to retain this feature, all you have to do is provide your own `aiohttp.ClientSession` in the following way: Connection(session=aiohttp.ClientSession( connector=aiohttp.TCPConnector(ssl=<fingerprint>))) See the aiohttp docs for details. Closes #17 Resolves #13 (by providing your own `SSLContext`)
The fingerprint will change from time to time and hard-coding it in this library we cannot forcibly deploy (unlike e.g. the Threema apps) is a surprising footgun since your services may suddenly fail (when Threema changes the fingerprint). As pointed out in #17, hard-coding the fingerprint (over the public key) is also undesirable. Furthermore, we want users to use their custom `aiohttp.ClientSession` instance. Therefore, we have decided to remove it. If you want to retain this feature, all you have to do is provide your own `aiohttp.ClientSession` in the following way: Connection(session=aiohttp.ClientSession( connector=aiohttp.TCPConnector(ssl=<fingerprint>))) See the aiohttp docs for details. Closes #17 Resolves #13 (by providing your own `SSLContext`)
Currently the fingerprint of the certificate is pinned.
There are things to improve this pinning:
To prevent this, pin the public key of the key pair instead of the fingerprint.
As this may be an upstream issue with aiohttp, I also opened an issue there: aio-libs/aiohttp#1187
The text was updated successfully, but these errors were encountered: