ssl_pinning_plugin icon indicating copy to clipboard operation
ssl_pinning_plugin copied to clipboard

Published 20 hours ago verified publisher icon macif-dev

Check certificate while sending and receiving data

Open mleonhard opened this issue 6 years ago • 8 comments
trafficstars

My dartlang application performs network requests like this:

Future<List<int>> streamToBytes(Stream<List<int>> stream) => stream
        .fold(new BytesBuilder(), (BytesBuilder bytesBuilder, List<int> bytes) {
      bytesBuilder.add(bytes);
      return bytesBuilder;
    }).then((BytesBuilder bytesBuilder) => bytesBuilder.takeBytes());

final HttpClient client = new HttpClient();
Map<String, String> headers = Map.from(headers);
final HttpClientRequest request = await client.postUrl(url);
request.headers.set('user-agent', userAgent));
request.headers.contentLength = bytes.length;
request.add(bytes);
final HttpClientResponse response = await request.close();
final List<int> bytes = await streamToBytes(response);
return new HttpResponse(response.statusCode, response.reasonPhrase,
        response.headers.value(HttpHeaders.contentTypeHeader) ?? '', bytes);

Please add a way to check the certificate used by such requests, to protect the data sent and received by the app.

mleonhard avatar Sep 26 '19 23:09 mleonhard

Hi @us3soap, thank you for creating an awesome plugin. We are looking forward to using this but this issue mentioned above is holding us back. Please let me know what would it take to add "certificate check" into the plugin so we safely implement cert pinning through this plugin. Thanks very much for your contribution!

smian-esba avatar Nov 06 '19 02:11 smian-esba

Hi, sorry for the delay.

Do you need support or evolution ?

us3soap avatar Mar 09 '20 08:03 us3soap

As mentioned by @mleonhard in this thread, i guess the plugin makes a separate call to same domain for validating the keys.

Therefore, two calls are being made for every request where we need SSL pinning. It would be really nice if we can validate Certificate Key in the original request itself.

sahil-oyo avatar Apr 21 '20 07:04 sahil-oyo

@sahilpatel16 do we have anything alternative to these solution. I found this code in stackoverflow

HttpClient client = new HttpClient(); client.badCertificateCallback = ((X509Certificate cert, String host, int port) { final isValidHost = host == "api.my_app"; return isValidHost; }); what is this host checking here can anyone explains it.

basnetjiten avatar Apr 24 '20 05:04 basnetjiten

There is inbuilt support for SSL pinning in dart but it does not cover all the cases. A possible alternative would be to get inbuilt support fixed.

Checkout this and this

HttpClient client = new HttpClient(); client.badCertificateCallback = ((X509Certificate cert, String host, int port) { final isValidHost = host == "api.my_app"; return isValidHost; }); what is this host checking here can anyone explains it.

In the code snippet you are checking if the request is coming from the desired host. I am not sure about your use case but this does not help us with MITM attacks.

sahil-oyo avatar Apr 24 '20 06:04 sahil-oyo

Any update?

bkhezry avatar Dec 10 '20 00:12 bkhezry

Bump! Any update on this issue?

akrmr avatar Jul 07 '21 16:07 akrmr

It's been three years since this was opened, let us know if there's any update.

shubhamhackz avatar Sep 30 '22 09:09 shubhamhackz