kaklakariada
commented
2 years ago @Abb4d0n Thank you for your proposal! OkHttp (the HTTP client we use) supports certificate pinning, but only for non-self-signed certificates (see https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/#note-about-self-signed-certificates).
I am thinking about migrating from OkHttp to the HTTP client included in JDK 11. Then I will revisit your proposal.
Currently, the TLS certificate of the FritzBox is not validated, which makes the library vulnerable to machine-in-the-middle attacks.
It would be better to support some kind of certificate pinning by comparing the hash of the FritzBox's certificate with the provided hash. Another solution would be to compare the fingerprint of the certificate with the provided fingerprint.