All in the name of security apparently. Their approach to security on their site, on the other hand, is to simply slap a cert on it and not bother with HSTS, HPKP or DANE. They've not even bothered with DNSSEC, and from the comments on that article don't seem to care if your connection transits the Tor network so long as it's via something on the network rather than a locally installed app.
The app at least verifies the certificate it's presented, but relies on the devices trust store, so if you can get a certificate from any of the _many_ CAs a handset trusts MiTM is as simple as redirecting DNS to your server and telling Nginx to listen or port 443, proxy to localhost 80 and then to proxy upstream on 443 And with a quick TCPDump you can start extracting credentials and other exciting things GET /broker/api/users/ids/7654321duh HTTP/1.0 Host: mob.tescobank.com Connection: close X-ClientAppVersion: 1.7.0 X-AvlHeight: 1920 X-InternalIP: 10.0.0.9 X-DeviceID: [Redacted] X-Timezone: Greenwich Mean Time X-Language: English X-Jailbroken: N X-FullWidth: 1080 X-Mac: [redacted MAC address] X-OSName: Android X-Credential: MobWord X-AvlWidth: 1080 X-FullHeight: 1920 X-OSVersion: 4.4.2 X-DeviceType: GT-I9505 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; GT-I9505 Build/KOT49H) Accept-Encoding: gzip Almost like have Orbot installed isn't their biggest problem............. Also, the check for whether a device is rooted is obviously faulty - the phone I tested from is very definitely rooted. DNS for mob.tescobank.com resolving to an IP on the same subnet as my phone should probably be a concern too. Given they know who issues their certificates, perhaps they should focus more on tightening their own security that dropping in checks for other apps (seems it objects to a number of packet sniffer apps too) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
