SSL Certificate Pinning using flutter #16066
Comments
|
We publish a plugin : https://pub.dartlang.org/packages/ssl_pinning_plugin to check pinning with fingerprint (SHA-1). |
|
Is this available yet? Documentation? |
|
It's operational, we are writing the documentation for the release. |
|
That would be great. So you have a new release for the 0.5.7 beta? It doesn't seem to be compatible with the latest flutter beta. getting error: The current Flutter SDK version is 0.5.7. Because ssl_pinning_plugin requires Flutter SDK version ^0.4.4, version solving failed. |
|
dart-lang/sdk#33115 mentions that this is now fixed in Flutter |
zoechi
added
the
waiting for customer response
|
yes it works |
no-response
bot
removed
the
waiting for customer response
|
Great! Thanks for the update @long1eu 👍 |
|
Well, as I can see, only sha1 is supported. This is a shame, sha1 is very weak. Any thoughts to add sha256? Sha1 is not even worth |
|
@giaur500 please create a feature request in https://github.com/dart-lang/sdk/issues |
|
@zoechi @mit-mit thanks for certficate pinning support. Can the SecurityContext validate a public key instead of a certificate? This is more future proof as certificate pinning comes with issues of certificate expiry. or can X509Certificate include public key sha256 signature. Since most of native apps are build on public key pinning. This has become one major blockage for our client. Can we reopen the current issue and dart-lang/sdk#33115 . since there has not been any activity on dart sdk issue from months. |
|
Is this issue resolved for SHA2 certificates ? I used webview in my application and it stopeed after i installed ssl on my server. |
|
The ssl_pinning_plugin makes its own HTTPS request and checks the certificate. It does not check certificates used by the app's real requests. I see no way to accomplish that with the plugin. This means that apps using the plugin are still vulnerable to MITM. Edit: I requested a fix in macif-dev/ssl_pinning_plugin#3 . |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of |
I want to add a trusted certificate to my HttpClient, but this is not very efficient. Certificates expire so I want to pin the public key. Is there a way to do this in dart/flutter?
The text was updated successfully, but these errors were encountered: