We are using an application which connects to a remove server using https connection. We found out that this app does not use certificate pinning. As this application is not written by us, we can’t change this directly in the application.
Our plan is now to use mitmproxy to implement a certificate pinning so that the external connection can’t be easily intercepted by a man-in-the-middle.
I think of telling mitmproxy to just use the (manually) prevalidated certificate (in the connection to the server) that the external server is currently using, and if that certificate is replaced by someone, mitmproxy should deny accessing the server.
I have no idea how to implement this.
OK, I did some tests: created a file “server.pam” containing all uplink certificates the app is currently using. Then I called mitmproxy (using “mitmproxy 0.18.2”) as follows:
mitmproxy -T --host --upstream-trusted-ca=server.pam
Short tests were positive: our app still works and can connect to remote server, but any other application does no longer work. This is expected as for none of the other https links there are valid certificates in “server.pam”. It can be fixed by using “–ignore” option (assuming the server we connect to is “the.externalserver.com” at ip “22.214.171.124”):
mitmproxy -T --host --upstream-trusted-ca=server.pam --ignore '^(?!the\.externalserver\.com)(?!1\.2\.3\.4)'
Next I will try to add another mitmproxy in the uplink path to see if that gets detected and connection is then no longer possible.
Does this sound feasible and senseful?