
Security Vulnerabilities in Certificate Pinning - eridius
https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html
======
eridius
From the paper, it appears that Spinner works by using censys.io to search for
other websites that have the same certificate chain as the target domain (only
differing in the leaf certificate), then redirects the app in question to that
alternative website. It then analyzes the encrypted network traffic to see if
the app completes the SSL handshake or if it bails while establishing. If it
completes the SSL handshake then it must not have performed hostname
verification.

