How about nextcloud Android mobile client implement HPKP for user more secure than without.

[erickhao]

Is your feature request related to a problem? Please describe.

I'm always frustrated when first install nextcloud server and client which mainly depends on DNS-01 or HTTP-01 challenge of ACME to get server certificate to protect user digital assets, but without check the server's public key(although checked by TLS, but a attacker like a bad operated CA----------------, DNS indeed , can still forge a bad certificate on other host, and change the dns, then he can get user data, the client pass the TLS check). Make user in danger of MITM attack. Most nextcloud data is belong to user only, the HPKP is good at secure user from depends on DNS or HTTP. Just like SSH does, when user first setup server it is a good time to setup HPKP for secure. The server's private key should not leave the server. User mobile client upload data and remember server's public key ( by check server's public key), to make user more secure. Even the bad operated CA and DNS owner CANNOT get user data, if only he can not get the server's private key.

Describe the solution you'd like

A clear and concise description of what you want to happen. In the client code, use TrustKit https://github.com/datatheorem/TrustKit-Android may be a selection. When user first link to his own server thought TLS, the client should remember the server' public key and let user known. When later the client access nextcloud server, it should check server's public key. If it's wrong, it should not to continue work.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Without HPKP, user self setuped server even in use of TLS, should be in danger.

Additional context

Add any other context or screenshots about the feature request here.

NOTE: Be super sure to remove sensitive data like passwords, note that everybody can look here! You can use the Issue Template application to prefill some of the required information: https://apps.nextcloud.com/apps/issuetemplate

[erickhao]

As the following said, it's not the server can do. But client's job. https://github.com/nextcloud/server/issues/14475

[AlvaroBrey]

HPKP specifically is very deprecated, so I'll make this issue about SSL pinning in general, not HPKP.

Certificate pinning is explicitly not recommended by the Android security guide [1], but this only applies to hardcoded pinning in the app, not to the "pin the first certificate and remember it" approach described in this issue.

By the way, TrustKit does not support dynamic pinning, only static (hardcoded) pinning, so it wouldn't be useful for this usecase.

[1] https://developer.android.com/training/articles/security-ssl#Pinning

[erickhao]

Hi ,AlvaroBrey . Thanks a lot for your reply. I am eric hao. All that you said is true.

In the same time , you say "HPKP is deprecated" , do you known why ? I think for generic browser and generic web server , it is maybe a selection . To chromium or chrome or mozilla firefox , use of HPKP is heavy to site administrator , and maybe make user confuse . To nextcloud client , it is mainly used for user to upload or download personal digital assets to user self setuped server , use of server's public key pinning is far more secure than not . We are not want to use certificate pinning (if insist , select leaf certificate better than not have ) , just server's public key pinning . So that we secure based on server's private key , not others , like DNS . And you said static( hardcoded ) pinning , if have , is better than don't have pinning . Anyway , it is about security , it can prevent user from fake server .

Apple support it . ( https://developer.apple.com/news/?id=g9ejcf8y ) So do IBM . ( https://community.ibm.com/community/user/security/blogs/carsten-hagemann1/2019/12/08/securing-mobile-applications-with-certificate-pinn )

I am not happy with you change my comment's title . It is more misleading for people.

Thanks again.

HPKP specifically is very deprecated, so I'll make this issue about SSL pinning in general, not HPKP.

Certificate pinning is explicitly not recommended by the Android security guide [1], but this only applies to hardcoded pinning in the app, not to the "pin the first certificate and remember it" approach described in this issue.

By the way, TrustKit does not support dynamic pinning, only static (hardcoded) pinning, so it wouldn't be useful for this usecase.

[1] https://developer.android.com/training/articles/security-ssl#Pinning

[erickhao]

Is SSH , I noticed that it even pinning all the server's key to make it work . Aka , all the type of public key is recorded and checked when use. For the nextcloud client , no mater Android or iOS or Desktop client should consider record the server's public key's finger-print for check when use.

[AlvaroBrey]

In the same time , you say "HPKP is deprecated" , do you known why ?

See https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning :

HPKP got deprecated in 2018 after intents of removing it started in 2017. Almost all browsers no longer support it as attacks against HPKP surfaced. HPKP is being replaced by the reactive Certificate Transparency framework coupled with the Expect-CT header.

---

And you said static( hardcoded ) pinning , if have , is better than don't have pinning

We can't hardcode cert pins; the app supports arbitrary servers. The only way to do what you ask is, as you suggest, to store the public key on first connection and check it for subsequent connections. I just meant that TrustKit cannot do this.

[erickhao]

Hi Alvaro Brey , Thanks for reply . What you said all is true.

As https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning said: It is about browsers , that no longer support HPKP. We are work on nextcloud client , the server it talked just is the Nextcloud server , not other web server. NOT what the browser maker concern about. What we concern about is the server -- our nextcloud server is the nextcloud (Android / iOS / Desktop) client connected , not others. No matter it use which certificate issuer , We want it is the Server we setuped , So we ( the nextcloud client ) should check the nextcloud server's public key ( maybe in different certificate) .

About how to implement , I suggest , after read the RFC of HPKP ( as he said , it is possible to implement HPKP on client only ), and RFC 5280 (section 4.2.1.2 ), as I quoted in the following , is to just record subject key identifier of server's certificate in nextcloud client . Every time the client connect to the server , it is checked if it is equal to the first time we record it . If no different , OK pass; If do different , Stop ,and report to user. User can select to by pass the the prompt , but at least the user is warned .

As you said , we may not use TrustKit to implement the function. Still as you said, store the public key on first connection and check it for subsequent connections would be better.

It can be set as an option for user to enable or not.

Thanks again. Best wishes.

4.2.1.2. Subject Key Identifier

The subject key identifier extension provides a means of identifying certificates that contain a particular public key.

For end entity certificates, the subject key identifier extension provides a means for identifying certificates containing the particular public key used in an application. Where an end entity has obtained multiple certificates, especially from multiple CAs, the subject key identifier provides a means to quickly identify the set of certificates containing a particular public key. To assist applications in identifying the appropriate end entity certificate, this extension SHOULD be included in all end entity certificates.

An example for reference , get from openssl :

    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            RSA Public-Key: (2048 bit)
            Modulus:
                00:c0:1a:fc:d6:b4:0f:4a:aa:45:37:db:57:b5:5a:
                a0:96:20:56:94:09:03:a6:7e:5b:72:6d:6a:58:6a:
                b3:c1:74:df:68:21:32:37:a7:67:59:f3:0f:68:40:
                24:0a:a2:1e:99:e6:77:a7:83:ab:14:a6:5c:c1:ad:
                cb:3b:5b:c2:51:e7:4a:c9:1b:1e:8d:cf:a6:8a:91:
                6b:82:07:25:ea:b8:da:22:b1:de:86:de:30:91:64:
                ab:d2:fc:2c:38:59:15:91:e5:a2:b0:93:20:14:d6:
                d9:6c:ed:0b:30:94:71:ca:a5:90:6c:ab:24:24:7c:
                86:42:e3:da:e6:af:d0:b5:24:bb:5c:e8:00:c0:b5:
                9f:1b:82:4e:96:f6:69:5a:4c:8c:69:33:ec:42:3d:
                99:d5:8a:07:f5:60:b9:47:ea:9b:4b:a8:95:ce:5e:
                74:e6:66:7d:46:59:b2:22:e0:3d:78:ef:c4:5f:67:
                d8:4f:e4:0c:ea:0f:e0:68:73:a4:d1:c2:bf:3d:5e:
                1d:eb:2f:2c:98:5b:b8:36:29:4a:c0:27:cd:86:e0:
                87:4b:50:7e:a8:ab:89:4c:e8:b4:dd:07:e3:99:54:
                53:93:76:50:7c:57:a9:f2:4c:5b:81:31:96:4d:fb:
                6f:1a:b1:58:a8:68:0c:b4:12:96:cc:c3:d3:04:9b:
                0f:71
            Exponent: 65537 (0x10001)
    X509v3 extensions:

        X509v3 Subject Key Identifier: 
            4A:07:91:3F:F0:62:75:22:C7:70:0F:21:25:1A:11:72:8B:DC:AD:F4

[ne20002]

I don't like pinning. I'd rather would go to really secure solutions:

• client certificate
• DANE certificate check

[DimanNe]

@ne20002 Yes, it would nice to use client certificates, but unfortunately nextcloud android app is the ONLY app that does not support client certificates:

• browsers can use client certificates
• devx5 can use client certificates

but Nextcloud official app says this: "SSL initialisation failed".

[AndyScherzinger]

As stated in the other issue @DimanNe the next feature release with ship support for client certificates. Can I also suggest to not put out ultimate statements when it is relatively clear that this isn't the case, i.e. the list of apps for Nextcloud is quite lengthy nowadays, see https://search.f-droid.org/?q=Nextcloud and I doubt than all of them except the Files client support client certificates.