Certificate check leaks HTTP headers

[sebkoller]

When the certificates are fetched and verified on Android and iOS, the headers of the actual request are sent.
In case of a MITM attack, HTTP headers, which often contain authorization headers, are leaked to the attacker.

My suggestion:

1. Headers are not needed to download the certificates
2. There is no need to do a full HTTP request to get the certificates. Opening a SSL/TLS connection is sufficient.

Here is an example to fetch the certificates with an SSLSocket in Kotlin:

fun main() {
    val hostname = "example.com"
    val port = 443 // Default HTTPS port
    val timeout = 5000

    try {
        val factory = SSLSocketFactory.getDefault() as SSLSocketFactory
        val socket = factory.createSocket(hostname, port) as SSLSocket
        socket.soTimeout = timeout;
        socket.startHandshake()

        val session = socket.session
        val serverCertificate = session.peerCertificates[0]

        // verify certificate

        socket.close()
    } catch (ex: SSLPeerUnverifiedException) {
        // handle ssl exception
    } catch (ex: IOException) {
        // handle io excepition
    }
}