Okhttp: Feature Request: Certificate Transparency

Created on 25 Oct 2016  路  10Comments  路  Source: square/okhttp

With the news about chrome moving to require CT in 2017 I was wondering if / when okhttp will support this? https://www.certificate-transparency.org/

Sorry if it already does - I couldn't see any info on it. Thx :)

picture mpp-doric

Most helpful comment

With Public Key Pinning being removed from Chrome, Expect-CT is going to become the de facto replacement. @swankjesse would you accept a PR to integrate CT checks in the core?

picture ruimarinho on 30 Oct 2017
👍3

All 10 comments

You could probably do this in an interceptor. After the TLS handshake you call out to a certificate transparency log service. It鈥檇 also be a bit tedious to write because you鈥檒l need to identify which hosts to enforce the policy on.

I don鈥檛 think we鈥檒l do this in OkHttp itself. Seems like the sort of thing that enthusiastic people could share via a separate GitHub project.

swankjesse picture swankjesse on 25 Oct 2016

Ah thats a shame but guess Im just being lazy - would be cool if the ConnectionSpec allowed you to pass CTLogHosts ... or something :)

mpp-doric picture mpp-doric on 25 Oct 2016

This is something my team would also love to see. CT can be enabled with a flag on iOS making it easy to add w/o worry about keeping up with the currently available log servers.
Do any of you know of any project that has popped up implementing CT on Android?

tabuchid picture tabuchid on 28 Mar 2017
👍2

With Public Key Pinning being removed from Chrome, Expect-CT is going to become the de facto replacement. @swankjesse would you accept a PR to integrate CT checks in the core?

ruimarinho picture ruimarinho on 30 Oct 2017
👍3

I would like to see a thirdparty certificate transparency interceptor first. I鈥檓 worried about how much code it is, and also how popular it is.

swankjesse picture swankjesse on 5 Nov 2017

I work at Babylon Health where we have just open sourced our network interceptor for certificate transparency at https://github.com/Babylonpartners/certificate-transparency-android

The project as of this writing is still in its early stages. We will be doing more work on it over the coming weeks. However, it would be great to get some feedback and understanding of how people expect to use the library.

mattmook picture mattmook on 23 May 2019

@mattmook This project is awesome. Nice work!

swankjesse picture swankjesse on 23 May 2019

@mattmook That seems to work amazingly well, I'm just blocked on the internal API usage for my test client.

https://github.com/yschimke/okurl/pull/362/files

$ ./okurl --ct LOG --ctHost '*.twitter.com' https://api.twitter.com/robots.txt
CT: api.twitter.com Success: SCT trusted logs {u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU==Valid SCT, h3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8==Valid SCT}
# Used for Google app indexing. See https://developers.google.com/app-indexing/webmasters/server
User-agent: Googlebot
Disallow:

User-agent: *
Disallow: /
yschimke picture yschimke on 25 May 2019

If okhttp exposed the PublicSuffixDatabase, that would seem to be a sensible default set of hosts to run for.

yschimke picture yschimke on 25 May 2019

Also seems a bit curious that you create your own internal OkHttp client. I think most larger app developers would want control of the things in their app that create network connections.

https://github.com/Babylonpartners/certificate-transparency-android/blob/0afdade9e3689277ae9d842c6fb09a04ef89527f/lib/src/main/kotlin/com/babylon/certificatetransparency/internal/logclient/LogClientFactory.kt#L33

yschimke picture yschimke on 25 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

SElab2019 picture SElab2019  路  3Comments
NitzDKoder picture NitzDKoder  路  3Comments
rfc2822 picture rfc2822  路  3Comments
yschimke picture yschimke  路  3Comments
nikunjgundaniya picture nikunjgundaniya  路  3Comments