Error on HTTP request to domain without

[trippingtarballs]

Borrowed from a recently closed issue 😅 ty

I would like for the following to error:

  const onInitializePinning = async () => {
    try {
      await initializeSslPinning({
        'google.com': {
          includeSubdomains: true,
          publicKeyHashes: [
            'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
            'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
            'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
            'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
            'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',
          ],
        },
      });
    } catch (e) {
      console.log('ERROR -> ', e);
      setInitializeResult(`❌ ${e}`);
    }
  };

  const onFetch = async () => {
    try {
      const response = await fetch(`https://www.facebook.com`);
      console.log(`${response.ok ? '✅' : '❌'} Status: ${response.status}`);
    } catch (e) {
      console.log(`❌ ${e}`);
    }
  };

I appreciate the previous answer given:

"facebook.com is not listed in your pinning configuration, so the network connection passes since we don't do further checks on connections to facebook.com" -- comment

However, might it be possible to extend react-native-ssl-public-key-pinning such that a request to a domain that does not match an entry in the PinningOptions raises an error (or even a warning)?

I want a way to identify when a developer adds a fetch() request to a domain and forgets to also add the publicKeyHashes for that domain.

[frw]

The functionality you're describing is not something that's natively supported in OkHttp or TrustKit, but it is somewhat possible to implement.

I think the only potential issue is if it will make it too easy for devs to shoot themselves in the foot if we allow them to block unpinned domains, as a misconfiguration could mean an unusable app in production.

Could you clarify more on what you think are the benefits for such a feature? Would this increase security?

[trippingtarballs]

The functionality you're describing is not something that's natively supported in OkHttp or TrustKit

Yesss, I did a little reading after I posted my question and came to the same conclusion after I found the list of exceptions the javax.net.ssl package includes.

Could you clarify more on what you think are the benefits for such a feature?

Developers make mistakes. Developers forget things. What if a new service is added to the app and pins for its domain are never added to the PinningOptions. If a domain is not listed in the PinningOptions then no checks are performed on that connections. How long before someone in the team thinks to check if an entry for that domain is listed in PinningOptions?

Would this increase security?

Not in production. It's more about the route to production ... Even if it was just a warning. Even if it was just for a debug build. A message might say;

• "Pins check passed in connection to some.domain.com."
• "Pins check skipped in connection to some.domain.com. Domain not included in options."

I appreciate this isn't strictly within the scope of react-native-ssl-public-key-pinning. But I work on a banking app, and pinning is important. I want a way I can have confidence all my app's upstream APIs are having their certs checked.

[jakob-p]

I think a feature that blocks all requests for domains that do not have pinned certificates or are in an allowlist would be great!

It could increase security for react native apps as it could block malicious packages (e.g. from a supply chain attack) to steal sensitive information by sending them to a third party server.