Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Feb 2016 13:35:17 -0800
From: Matthew McPherrin <mmc@...areup.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - OkHttp Certificate Pining Bypass

A vulnerability was discovered in OkHttp that allows an attacker to bypass
certificate pinning. OkHttp did not validate that the pinned certificate
was in the chain to a trusted certificate authority.

This resulted in an attacker being able to present a certificate chain with
a certificate issued by one trusted certificate authority, and additionally
including the pinned certificate authority. Because the pinned certificate
was present, and the certificate was issued by a trusted certificate
authority, the server's certificate was accepted. However, it should not
have been accepted as the pinned certificate was not in the trust chain.

This allows an attacker to obtain a certificate from a non-pinned but
trusted CA, then have OkHttp connect to that server, bypassing certificate
pinning.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.