Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Certificate Pinning on .NET

Tags:

.net

ssl

application-security

I want to limit my .NET application to accept only known certificates. So how can I enforce certificate pinning on .NET? What is the best practice? Is it OK to just validate thumb print?

like image 968
Yazginin Firati Avatar asked Jan 29 '13 18:01

Yazginin Firati

People also ask

Is certificate pinning still used?

Securing your mobile applications ensures that you and your customers are safe. And unfortunately, just using SSL and HTTPS doesn't fully protect your data. Instead, certificate pinning currently tops the list of ways to make your application traffic secure.

What is the use of certificate pinning?

Certificate pinning restricts which certificates are considered valid for a particular website, limiting risk. Instead of allowing any trusted certificate to be used, operators "pin" the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice.

Is certificate pinning necessary?

Yes, you need to install a root CA certificate on the iOS device and trust it for making an man-in-the-middle attack on an HTTPS connection used by an iOS app.

2 Answers

Per OWASP, you can implement certificate and public key pinning using .NET's ServicePointManager class

like image 136
HBCondo Avatar answered Oct 14 '22 04:10

HBCondo

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#.Net

This URL already has a good example.

// Encoded RSAPublicKey
private static String PUB_KEY = "30818902818100C4A06B7B52F8D17DC1CCB47362" +
    "C64AB799AAE19E245A7559E9CEEC7D8AA4DF07CB0B21FDFD763C63A313A668FE9D764E" +
    "D913C51A676788DB62AF624F422C2F112C1316922AA5D37823CD9F43D1FC54513D14B2" +
    "9E36991F08A042C42EAAEEE5FE8E2CB10167174A359CEBF6FACC2C9CA933AD403137EE" +
    "2C3F4CBED9460129C72B0203010001";

public static void Main(string[] args)
{
  ServicePointManager.ServerCertificateValidationCallback = PinPublicKey;
  WebRequest wr = WebRequest.Create("https://encrypted.google.com/");
  wr.GetResponse();
}

public static bool PinPublicKey(object sender, X509Certificate certificate, X509Chain chain,
                                SslPolicyErrors sslPolicyErrors)
{
  if (null == certificate)
    return false;

  String pk = certificate.GetPublicKeyString();
  if (pk.Equals(PUB_KEY))
    return true;

  // Bad dog
  return false;
}
like image 21
NINJAJA Avatar answered Oct 14 '22 03:10

NINJAJA
Sign in to Comment

Related questions

Driver License Barcode Field Data Types
DataGridView column footer c#.net winforms
How to create properties automatically?
Windows forms different classes, trying to change textbox.text
Nancy - two modules listening on different ports
.NET Remoting, why isn't a list remotable?
Repetitive tasks in specific time intervals?
How to get the Type that describes an array of a base type?
How to use events and delegate to send data between forms?
Different authentication mode for different areas
How to build a dynamic FROM clause for a LINQ query?
Call to Application_Start after starting application pool in IIS
Show loading window
Get property value from another object using Reflection.Emit
Unable to read first row from Excel using SqlBulkCopy
How to calculate HMAC-SHA1 authentication code in .NET 4.5 Core
Why does an Expression type in .NET allows construction from a function but not conversion from one?
Proper way to make SQL queries in code? [closed]
Caching in .Net Windows application
What is the best way to manage DLLs that you don't reference in Visual Studio

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!