0

I've used jMeter proxy to inspect SSL traffic coming from my iPhone, by installing the jMeter certificate on the iPhone and then configuring my wifi on the phone to use the jMeter proxy.

If I want to prevent this MITM sniffing for a particular website/server can I just enforce TLS 1.2 on the server?

Does TLS1.2 actually prevent this kind of MITM sniffing if it is enforced throughout?

Fraggle
  • 61
  • 1
  • 2
  • 10

1 Answers1

1

Man in the middle is prevented if the client checks that it gets exactly the expected certificate. This is called certificate or public key pinning. This is not a feature of any TLS version including TLS 1.2 but must be implemented explicitly in the client. For more information and example code see OWASP: Certificate and Public Key Pinning.

Steffen Ullrich
  • 12,227
  • 24
  • 37
  • That was my understanding as well. Our plan was to do ssl pinning but it was suggested (by a co-worker) that by forcing TLS1.2 this wouldn't be needed. I'll stick with the pinning plan. – Fraggle Aug 03 '16 at 21:48