Closed alexbejann closed 10 months ago
Hello @alexbejann Few months ago my PR has been merged: https://github.com/diefferson/http_certificate_pinning/pull/46
You can check there how to perform the root check instead of a leaf check. Note that checking the root is anyway not recommended except for specific situations/use-cases since the root is shared among multiple certificates.
Aka a MITM attack can be performed by a malicious actor if he identifies himself with a certificate which shares the same root fingerprint as the one you are pinning
Hello @davideravasi, Thank you for your reply! That's exactly what I did for now. Yes, I discussed this within the organisation about this practice and we're working on a different solution as we speak which would require the leaf certificates avoiding the need to update fingerprints
Hi @diefferson, Thank you for this package! I want to prevent MITM attack by checking the certificate, but I don't want to use the leaf certificates for this and use the ROOT certificate which is valid for a couple of years. I was wondering if we can do a check on that as well.