Feature request: support certificate pinning for Cronet on iOS to prevent man in the middle |
||||
Issue descriptionSteps to reproduce the problem: 1. set up mitm proxy 2. set up proxy on android phone 3. install the certificate following https://mitmproxy.org/doc/certinstall.html#docCA 4. Connect to a server supporting both http2 and quic e.g., https://app.snapchat.com/discover/channel_list?region=US What is the expected behavior? We should not be able to eavesdrop the traffic using man in the middle proxy. What went wrong? We can see the actually traffic as below. /Users/zhihua.wen/git/android/snapchat/app/build/intermediates/exploded-aar/com.brightcove.player/android-sdk/4.3.2/res/drawable-hdpi-v4/no_edge_attribute.png: libpng warning: iCCP: Not recognizing known sRGB profile that has been edited /Users/zhihua.wen/git/android/snapchat/app/build/intermediates/exploded-aar/com.brightcove.player/android-sdk/4.3.2/res/drawable-hdpi-v4/raised_edges.png: libpng warning: iCCP: No2015-08-18 14:42:45 GET https://app.snapchat.com/discover/channel_list?region=US ← 200 application/json 72.66kB 9.83MB/s Request Response X-Snapchat-Request-Id: 55d3a5ad00ff00ffc6afe50253b10001737e6665656c696e736f6e6963652d68726400016d617374657234373034300001020177 X-Snapchat-Notice: Snapchat Private APIs - Unauthorized use is prohibited. Pragma: Public Content-Type: application/json; charset=UTF-8 Date: Tue, 18 Aug 2015 21:37:49 GMT Server: Google Frontend Cache-Control: public, max-age=300 Age: 296 Alternate-Protocol: 443:quic,p=1 Alt-Svc: quic=":443"; p="1"; ma=604800 Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked ... Did this work before? No Chrome version: 44.0.2403.155 Channel: stable OS Version: OS X 10.10.3 Flash Version: Shockwave Flash 18.0 r0
,
Dec 2 2016
,
Feb 14 2017
,
Jun 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a7ac5d97093331a18c69d16a2ebe82bde507c1bd commit a7ac5d97093331a18c69d16a2ebe82bde507c1bd Author: mef <mef@chromium.org> Date: Mon Jun 26 21:37:37 2017 [Cronet] Export NSError constants instead of defining them in Cronet.h BUG= 670689 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_cronet_tester Review-Url: https://codereview.chromium.org/2956973002 Cr-Commit-Position: refs/heads/master@{#482418} [modify] https://crrev.com/a7ac5d97093331a18c69d16a2ebe82bde507c1bd/components/cronet/ios/Cronet.h [modify] https://crrev.com/a7ac5d97093331a18c69d16a2ebe82bde507c1bd/components/cronet/ios/Cronet.mm
,
Jul 12 2017
Two more applicable CLs: https://codereview.chromium.org/2928653002/ https://codereview.chromium.org/2937523002/
,
Jul 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1abbed6f57b85c0bb93029e87a0cfda423510c1f commit 1abbed6f57b85c0bb93029e87a0cfda423510c1f Author: Misha Efimov <mef@chromium.org> Date: Mon Jul 31 23:09:48 2017 [Cronet] Fix use after free in Cronet PKP test on iOS. Bug: 670689 Change-Id: I7d09af8130233525bcbf41443266b40709e8b99a Reviewed-on: https://chromium-review.googlesource.com/568805 Reviewed-by: Andrei Kapishnikov <kapishnikov@chromium.org> Commit-Queue: Misha Efimov <mef@chromium.org> Cr-Commit-Position: refs/heads/master@{#490816} [modify] https://crrev.com/1abbed6f57b85c0bb93029e87a0cfda423510c1f/components/cronet/ios/test/cronet_pkp_test.mm
,
Sep 14 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by mef@chromium.org
, Dec 2 2016