Date: Wed, 10 Feb 2016 13:35:17 -0800 From: Matthew McPherrin <mmc@...areup.com> To: oss-security@...ts.openwall.com Subject: CVE request - OkHttp Certificate Pining Bypass A vulnerability was discovered in OkHttp that allows an attacker to bypass certificate pinning. OkHttp did not validate that the pinned certificate was in the chain to a trusted certificate authority. This resulted in an attacker being able to present a certificate chain with a certificate issued by one trusted certificate authority, and additionally including the pinned certificate authority. Because the pinned certificate was present, and the certificate was issued by a trusted certificate authority, the server's certificate was accepted. However, it should not have been accepted as the pinned certificate was not in the trust chain. This allows an attacker to obtain a certificate from a non-pinned but trusted CA, then have OkHttp connect to that server, bypassing certificate pinning.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ