Hacker News new | comments | ask | show | jobs | submit login

This is so bad. I used to think a while back that SSL pinning was over the top. It looks like we as an industry need to move to SSL pinning asap wholesale.

The problem with pinning, as I understand it, is that it prevents me from being able to see traffic from my own computer (via HTTPS proxy). Pinning is fine as long as I can turn it off, but I don't want to completely lose the ability to audit the traffic coming off my computer, phone, etc. Related is the recent supposed change in Android disabling the ability to add a trusted root certificate, that also screws the ability to audit.

If you are using Firefox you can log all TLS Master Secrets to a file so you can later on decrypt the recorded TLS (i.e. HTTPS) sessions. Wireshark supports the file format out of the box.


For better and for worse, installing a private root in most browsers causes pinning to be disabled (for certs signed by that root?).

From what I can tell from my former employers HTTPS MITM was that websites with certificate pinning turned on had to be exempted from the TLS proxy, otherwise browsers would throw pinning errors.

"Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning."


It's not hard to disable this in my experience. I can break cert pinning in less than 2 mins on Android apps and perhaps 20 on iOS (replace the key in strings).

Web is even easier, just run chrome without pinning enabled.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact