| ▲ | MarleTangible 5 hours ago | |
You'd generally expect a company like Lyft to pin its certificates, so it's notable that they don't. Any ideas as to why? | ||
| ▲ | ale42 5 hours ago | parent | next [-] | |
If it's intentional, the only thing I can think of is access from corporate networks where SSL-intercepting proxies are absolutely common. | ||
| ▲ | vimda 4 hours ago | parent | prev [-] | |
Pinning certs has generally been discouraged for a while afaik. It's pretty trivial to bypass, at least on Android where you can side load easy, and it's a pain in the ass to manage with a huge potential to just take down your app if you mess it up | ||