Root Certificate check

[alexbejann]

Hi @diefferson, Thank you for this package! I want to prevent MITM attack by checking the certificate, but I don't want to use the leaf certificates for this and use the ROOT certificate which is valid for a couple of years. I was wondering if we can do a check on that as well.

[davideravasi]

Hello @alexbejann Few months ago my PR has been merged: https://github.com/diefferson/http_certificate_pinning/pull/46

You can check there how to perform the root check instead of a leaf check. Note that checking the root is anyway not recommended except for specific situations/use-cases since the root is shared among multiple certificates.

Aka a MITM attack can be performed by a malicious actor if he identifies himself with a certificate which shares the same root fingerprint as the one you are pinning

[alexbejann]

Hello @davideravasi, Thank you for your reply! That's exactly what I did for now. Yes, I discussed this within the organisation about this practice and we're working on a different solution as we speak which would require the leaf certificates avoiding the need to update fingerprints