Page MenuHomePhabricator

Elaborate if "dynamic" certificate pinning can be used to even secure the login process more
Open, LowPublic

Description

Whenever a device is paired with the Android app, the app could probably somehow save the fingerprint of the certificate of the MediaWiki site at this point. This would protect the login flow from being read by a Man-in-the-middle attacker who could somehow installed a transparent https proxy and got their fingers on a valid https certificate.

However, this would probably make it harder for people to change their certificate if they do that at all, so this should be seen as a possibility only, which might or might not be implemented in the future. It's, however, by far not the priority for now :)

Event Timeline

Florian created this task.May 21 2019, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 21 2019, 5:20 PM
Florian triaged this task as Low priority.May 21 2019, 5:20 PM