search

dart-lang / sdk

The Dart SDK, including the VM, dart2js, core libraries, and more.
https://dart.dev
BSD 3-Clause "New" or "Revised" License
9.97k stars 1.53k forks source link

Add support for Certificate Transparency #43352

Open JFreakDK opened 3 years ago

JFreakDK commented 3 years ago

When creating a TLS connection in dart the Signed Certificate Timestamps (SCT) is not checked.

As an alternative to certificate pinning it would be nice if we could use certificate transparency as most modern browsers do.

I tried to create this application where the connection should be rejected because of missing SCT:

import 'package:http/http.dart' as http;

Future<void> main(List<String> arguments) async {
    var response = await http.get('https://no-sct.badssl.com/');
    print('Response status: ${response.statusCode}');
    print('Response body: ${response.body}');
}

What happens is that the request is executed and the response is returned without any issues.

I have been trying this in a Flutter app on both Android and iOS and in this cli application on Linux.

Apple has their Certificate Transparency policy that states that a certificate that does not comply with the policy would result in a failed TLS connection (https://support.apple.com/en-us/HT205280). With Flutter the connection does not fail.

An attempt to implement support for this has started here: https://github.com/lennartschoch/certificate_transparency but shouldn't this be part of the sdk?

PawlikMichal25 commented 1 year ago

Another point is that Flutter apps would become more secure "for free" if that was implemented, so definitely worth it 👍🏻

EricDunaway commented 6 months ago

This would be a great improvement for app security. You get this for free if you use the platform specific mobile APIs. I am unsure why dart/flutter would not provide this security.

flbaue commented 1 month ago

I think this is already possible by using the native http clients via cupertino_http or cronet_http

UmerTaptap commented 1 month ago

@flbaue Could you please tell me how I can do this? do you have any docs or reference?

flbaue commented 1 month ago

@UmerTaptap As far as I understand the Apple documentation on this, certificate transparency is already enforced by Apple. Root CAs that don’t comply to it will not make it into the trusted list. So if you rely on the iOS root CAs you should be fine.

General Apple docs on certificate transparency: https://support.apple.com/en-us/103214

Apple ATS config for certificate transparency: https://developer.apple.com/documentation/bundleresources/information_property_list/nsrequirescertificatetransparency#

Since Dart by default is using the root CA list from iOS, that should already be fine as well. But correct me if I am wrong.

I did not check the google docs yet, but I would assume similar behavior on Android since certificate transparency is actually a google initiative.