Certificate check leaks HTTP headers #44
Description
When the certificates are fetched and verified on Android and iOS, the headers of the actual request are sent.
In case of a MITM attack, HTTP headers, which often contain authorization headers, are leaked to the attacker.
My suggestion:
- Headers are not needed to download the certificates
- There is no need to do a full HTTP request to get the certificates. Opening a SSL/TLS connection is sufficient.
Here is an example to fetch the certificates with an SSLSocket in Kotlin:
fun main() {
val hostname = "example.com"
val port = 443 // Default HTTPS port
val timeout = 5000
try {
val factory = SSLSocketFactory.getDefault() as SSLSocketFactory
val socket = factory.createSocket(hostname, port) as SSLSocket
socket.soTimeout = timeout;
socket.startHandshake()
val session = socket.session
val serverCertificate = session.peerCertificates[0]
// verify certificate
socket.close()
} catch (ex: SSLPeerUnverifiedException) {
// handle ssl exception
} catch (ex: IOException) {
// handle io excepition
}
}