Task #13206
Task #13202: Huawei Pentest Remidiation
HUAWEI - L2 - Missing Certificate/ Public Key Pinning
Status: | Closed - End of life cycle | Start date: | September 07, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | MUHAMMAD IHSAN | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
Description :
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. If more than one certificate or public key is acceptable, then the program holds a pinset. In this case, the advertised identity must match one of the elements in the pinset.
A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former - adding at development time - is preferred since preloading the certificate or public key out of band usually means the attacker cannot taint the pin.
LGMS Solution:
Implement certificate or public key pinning to further protect the application from trusting the fraudulently issued certificates.
Penril Plan:
TBC - BSN to justify
History
#1 Updated by MUHAMMAD IHSAN almost 2 years ago
- File Pinning.png added
- Status changed from New - Begin Life Cycle to Finished Development
- Assignee changed from Rahmat Aina Nadia to MUHAMMAD IHSAN
- % Done changed from 0 to 100
Certificate/Public key pinning is implemented in the application.
#2 Updated by Binti Marobi Athirah Umairah over 1 year ago
- Status changed from Finished Development to Closed - End of life cycle
Deployed to SIT on 15/4/22
Deployed to UAT on 18/4/22
Confirmed by azyan on 23/3/23, now pending LGMS feedback and new testing cycle result.