Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Paper notes - Spinner: Semi-Automatic Detection of Pinning without Hostname Verification
Fri 08 December 2017 — download

Since CA are a mess, applications on smartphone tend to use certificate pinning, accepting only certificates issued by a particular CA (it's also possible to pin directly the leaf certificate, but since it's less flexible, few entities are doing it).

It's easy to check if pinning is implemented by adding a new CA to the device. But having pinning doesn't mean that hostname verification is correctly implemented: this can be verified by purchasing a certificate from the same CA for a different hostname. Unfortunately, this doesn't scale.

The trick proposed by the paper is to use Censys to find certificate with a chain that only differs in the leaf certificate, and to redirect the application's traffic to a website using it. If the connection doesn't fail during session establishment, it means that hostname verification isn't correctly implemented (The paper identified 5 different ways in which TLS connections could fail). Redirection is performed with a simple DNS server, and TLS inspection with a custom proxy. Spinner's code is released on github (local mirror, 2017/12/08).

Unsurprisingly, some banking applications didn't verify the hostname correctly.