You all prolly dont give a shit but does anyone know a method to get back into an instagram account? I stupidly forgot my password. I would appreciate any help you can offer me.
Hey this video is 4 years ago but still the same and great explanation I am looking for. For anyone having a confusion about the certificate pinning of crowdstrike, this is exactly how it happens.
Hussein you are the saviour man... I was trying to explore on this. Wasted few days to understand. But your explanation cleared my every single doubt ... 😂
Hi Hussein! Maybe you can do a follow-up on public key pinning and certificate transparency. Seems like most certificate pinning libraries set a hash of the Subject Public Key Info. (It wasn't clear to me if the CA key is pinned sometimes.) While watching your video I was going to comment on pinning a certificate that expires in a month, but you mentioned it. Pinning the key hash solves that. I guess some apps have some side channel to update the pinned key hashes.
Hi Hussein, nice explanation. But as you mentioned there may be a dynamic set of domains. Is there an alternative for this situation? There is an approach called Certificate Transparency - CT, could you make a video about that?
a request - can you do a video on history of security techniques (tls / kubernetes / openssl) with options applicable for different type of projects e-commerce / bank/mobile app etc
great explanation, but considered a bad practice these days. If certificates need to be updated because it was spoofed, expired or simply needs rotation which is mandatory for compliance with regulations, this can't be done with the agility that is necessary. Also, important to say that HPKP is now deprecated.
In the case of DNS poisoning, the malicious websites can still serve the public key certificate from the original website (because is public) but you still need to have the private key to decrypt the traffic, so how it’s gonna work? You either hack the original server and steal the private key from there or you have to trick a certificate authority so they issue you a new valid key pair certificate trusted by the clients, on both cases there’s no need for dns poisonings at this point. Is there something in missing?
Great question! Let's take the example of the mobile application connecting to known domain servers as pointed in the video at the end. So, the android developer has the option of pinning the low level domain cert which might have validity of one year or the CA one which might have a validity of 3-5 years. Let's say they pin the domain certificate which has 1 yr validity. Now, before the cert expires, at the mobile end, they shall chain the old cert and new cert and provide an update to the application. This way, when the server undergoes the cert change there would not be any bad experience for the customer using the mobile application. The problem would only appear if the automatic updates are turned off. Also, usually this is controlled by minimum version support of the application, which would thereby mandate the user to update the application to use it further.
Hi, I didn't quite get what you meant by recompiling the source after adding an entry of the certificate hash. I assume you mean adding/removing key value pairs in the store?
Hi, Thanks for explaining...is there any way of doing the SSL pinning using which we can make changes in server-side only without making any changes in the app..so that we don't need to release the app with the new certificate on the store when the certificate is expired?
Good video, but these days, an attacker can't just serve you a "shady" cert. You (the user) will need to accept the "injected" cert/root and then import it and go on with the app flow... If users simply accept an injected cert and authority, we have all failed. But yeah, it's technically possible, but not without the acceptance -> just like when using Burp on your local machine to proxy the flow. Your browser won't simply enable comms, the certs and root have to be injected. Cheers.
what if at the very first time of client SSL/TLS session to server, there is a man-in-the-middle who pretend to be the server? will the client be cheated?
I think that might only happen in the extreme case of dns poisoning. Otherwise, your browser will catch if the digital signature sent from the server is valid or not.
Hi Hussein, for mobile applications which have a specific endpoint(domain) to connect to, it is clear that ssl pinning would have the request secure. Is there any way that the request is seen by man in the middle and if so, could they get the details of the pinned certificate?
A man in the middle won't see the content of the traffic, heck it will fail at the handshake as the client will reject the certificate it tries to spoof. You can make an educated guess as to why it failed (aka the application uses cert pinning) - the only thing you will see is the URL/ domain it tried connecting to On android it puts you into a full lockdown as soon as you connect to a man in the middle router, atleast on android 12 (gives notification saying connection functionality is limited or something)
![[#2024MAMA] BIGBANG (빅뱅) - 뱅뱅뱅 (BANG BANG BANG) + FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/EQsYfiPR9uM/mqdefault.jpg)
i cracked my interview with this explanation..thanks a lot
👏👏
You all prolly dont give a shit but does anyone know a method to get back into an instagram account?
I stupidly forgot my password. I would appreciate any help you can offer me.
Hey this video is 4 years ago but still the same and great explanation I am looking for. For anyone having a confusion about the certificate pinning of crowdstrike, this is exactly how it happens.
Why are you explaining it so long.. it’s actually very simple
Hussein you are the saviour man... I was trying to explore on this. Wasted few days to understand. But your explanation cleared my every single doubt ... 😂
❤️❤️
Easy and helpful. Thanks a ton, Hussein Sir. Learning these types of things never been that easy.
thank you for accommodating the request
Short and sweet. Thanks
Great and clear explanation! Thank you
Hussein, you are great.
Thank you, now I completely understood it
Great explanation as always man
thanks, nice and clear explanation
Hi Hussein! Maybe you can do a follow-up on public key pinning and certificate transparency. Seems like most certificate pinning libraries set a hash of the Subject Public Key Info. (It wasn't clear to me if the CA key is pinned sometimes.) While watching your video I was going to comment on pinning a certificate that expires in a month, but you mentioned it. Pinning the key hash solves that. I guess some apps have some side channel to update the pinned key hashes.
Carl Hage thanks Carl! Yes I think there are multiple ways of tackling this. Pinning the hash of the public key seems to be the least disruptive..
Thanx man this was very helpful to me ☺️☺️
Hi Hussein, nice explanation. But as you mentioned there may be a dynamic set of domains. Is there an alternative for this situation? There is an approach called Certificate Transparency - CT, could you make a video about that?
I truly love your explainantion. but somehow i feel lalo salamanca is talking :D
super video. when did tls pinning become popular for authentication between servers?
This was a great great great explanation!
Glad you enjoyed it!
And I ended up subscribing too
😂😂😂.. I love ur content and how funny you are
a request - can you do a video on history of security techniques (tls / kubernetes / openssl) with options applicable for different type of projects e-commerce / bank/mobile app etc
basically wanted to have a primer of history of security techniques and current landscape
awesome.. tnx
great explanation, but considered a bad practice these days. If certificates need to be updated because it was spoofed, expired or simply needs rotation which is mandatory for compliance with regulations, this can't be done with the agility that is necessary. Also, important to say that HPKP is now deprecated.
Thank you
In the case of DNS poisoning, the malicious websites can still serve the public key certificate from the original website (because is public) but you still need to have the private key to decrypt the traffic, so how it’s gonna work?
You either hack the original server and steal the private key from there or you have to trick a certificate authority so they issue you a new valid key pair certificate trusted by the clients, on both cases there’s no need for dns poisonings at this point. Is there something in missing?
great video! I have one question though - what happens when the pinned certificate expires?
Great question! Let's take the example of the mobile application connecting to known domain servers as pointed in the video at the end. So, the android developer has the option of pinning the low level domain cert which might have validity of one year or the CA one which might have a validity of 3-5 years. Let's say they pin the domain certificate which has 1 yr validity. Now, before the cert expires, at the mobile end, they shall chain the old cert and new cert and provide an update to the application. This way, when the server undergoes the cert change there would not be any bad experience for the customer using the mobile application. The problem would only appear if the automatic updates are turned off. Also, usually this is controlled by minimum version support of the application, which would thereby mandate the user to update the application to use it further.
Hi, I didn't quite get what you meant by recompiling the source after adding an entry of the certificate hash. I assume you mean adding/removing key value pairs in the store?
Hi, Thanks for explaining...is there any way of doing the SSL pinning using which we can make changes in server-side only without making any changes in the app..so that we don't need to release the app with the new certificate on the store when the certificate is expired?
Cloudflare ssl gets renewed after 3 months, so every 3 months i need to get updated the apk with new hash, does it has any solution
Good video, but these days, an attacker can't just serve you a "shady" cert. You (the user) will need to accept the "injected" cert/root and then import it and go on with the app flow... If users simply accept an injected cert and authority, we have all failed. But yeah, it's technically possible, but not without the acceptance -> just like when using Burp on your local machine to proxy the flow. Your browser won't simply enable comms, the certs and root have to be injected. Cheers.
what if at the very first time of client SSL/TLS session to server, there is a man-in-the-middle who pretend to be the server? will the client be cheated?
I think that might only happen in the extreme case of dns poisoning. Otherwise, your browser will catch if the digital signature sent from the server is valid or not.
so this happens on the front end javascript? can’t someone change the javascript?
Hi Hussein, for mobile applications which have a specific endpoint(domain) to connect to, it is clear that ssl pinning would have the request secure. Is there any way that the request is seen by man in the middle and if so, could they get the details of the pinned certificate?
A man in the middle won't see the content of the traffic, heck it will fail at the handshake as the client will reject the certificate it tries to spoof. You can make an educated guess as to why it failed (aka the application uses cert pinning) - the only thing you will see is the URL/ domain it tried connecting to
On android it puts you into a full lockdown as soon as you connect to a man in the middle router, atleast on android 12 (gives notification saying connection functionality is limited or something)
Wouldn't the client verify the domain in the shady certificate it received back and reject if it s not the same as the one requested?
Gautham R the shady certificate will have the same domain requested by the client its just signed by a shady CA
Hussein Nasser Thanks a lot. That makes sense.
❤️
Fail ..haiinn,
The Indian tutorial told me ssl pinning means “uh er uh uh” holy fuck thank u
hhhhhhh, "my pins are the worse"