search

balanced / balanced-api

Balanced API specification.
221 stars 72 forks source link

SSL Certificate Pinning #538

Open jkwade opened 10 years ago

jkwade commented 10 years ago

SSL certificate pinning is not being done from what I can tell, leaving some exposure to MITM attacks, particularly from non-browser clients.

Would Balanced consider adding the hash of the cert to their client libraries?

matthewfl commented 10 years ago

One issue with this is we have changed our ssl cert a few times already, and I don't think that people update their clients enough that having a hash would out weight the likeliness that their clients/code would break expediently.

For non browser clients, we should enforce that they are checking the certificate against the root certificates.

steveklabnik commented 10 years ago

Yeah, this can cause real problems, see for example: http://blog.npmjs.org/post/80277229932/newly-paranoid-maintainers