ChatSecure

Free and open source encrypted chat for iOS.

The Importance of SSL Pinning

SSL Pinning Support

You may have noticed there was a very important security update for iOS devices lately that patches a flaw allowing the complete bypass of certificate checks for any apps that use the default system-wide TLS library, Security.framework. There is a pretty good description of the vulnerability here, if you’re interested.

If you use the latest versions of ChatSecure you are now using a feature called SSL pinning that allows for you to manually inspect and remember the SSL certificates of the servers you connect to, bypassing the CA system entirely.

However, if you do not update to iOS 7.0.6 or higher and you are being actively MitMed, the alert dialog (pictured above) may provide misleading information in the form of a green ✓ instead of a red ✗ with the appropriate certificate error. This is because XMPPFramework’s socket library, GCDAsyncSocket, relies on Apple’s faulty SSL verification routine. Fortunately the displayed SHA-1 hash will still not match, so it is especially important to check the double-check the fingerprint of any new certificate before you store it.

It is especially important to update all of your devices as soon as possible because apps that don’t implement certificate pinning will not display any warning at all when your connection is compromised. Unfortunately most apps do not implement this functionality, including many banking apps.

Additionally, if you are using OS 10.9.1, please avoid using Safari (or other programs that use Security.framework) until this vulnerability is patched on OS X as well.

Written By
Chris Ballinger

ChatSecure v2.2 Released

ChatSecure v2.2 for iOS was approved by Apple today. One of the main new features is support for SSL certificate pinning, to help prevent man-in-the-middle attacks. A nice side effect of implementing this feature is that we now support alternative root CAs like CACert.org, which now means jabber.ccc.de accounts should work properly. This also means that if you run your own XMPP server with a self-signed certificate, you should have less problems connecting and can now verify and pin the SHA1 hash of your certificate before connecting. @davidchiles crafted a beautiful and simple interface that appears for each new certificate, including information about whether or not the certificate would pass the built-in iOS certificate checks:

SSL Pinning Support

We also implemented another highly requested feature: you can now enable automatic login for your accounts. Coming soon is support for Tor, SOCKS5, and XMPP account creation (XEP-0077).

Notable Changes

  • XMPP: SSL Certificate Pinning
  • XMPP: Support for non-standard root CAs like CACert to support jabber.ccc.de
  • XMPP: Better support for self-signed SSL certificates via certificate pinning
  • Support auto-login for accounts
  • User interface improvements
  • Security improvements
  • Internal refactoring and code cleanup
  • Fix many crashes
  • Update 3rd party libraries
  • Full Changelog

Special thanks to @vitalyster for the UI patches included in this version.

Download

Download it for free on the App Store and check out the source code on GitHub.

Written By
Chris Ballinger

Website Redesign

I decided to redesign chatsecure.org with Jekyll, a static blogging framework, combined with the very pretty Incorporated theme. If you find any mistakes, or would like to help improve the site, feel free to submit a pull request!

One major issue is that GitHub Pages doesn’t support SSL and, even worse, if you have a custom domain it will appear to be completely broken because their servers don’t respond at all on port 443 for custom domains.

Written By
Chris Ballinger

New Servers!

It only took a year, but we have finally migrated to a new server and a super simple Django blogging engine instead of a giant template file rendered with Flask. Sorry about the lack of updates in the meantime! Next step will be to rewrite chatsecure.org to include information about the Android version as well.

Written By
Chris Ballinger

ChatSecure v2.1.2 Released

  • Fix Facebook login issues
  • Fix non-Gmail Google Apps for Domain login issues
  • Fix issue with erroneous SSL validation error
  • Fix missing keyboard / chat input area
  • Fix crash when quickly switching between buddies
  • Fix 100% CPU usage bug

Full changelog

Written By
Chris Ballinger

‹ Newer Older ›