Lead Image © Bruce Rolff, 123RF.com

Lead Image © Bruce Rolff, 123RF.com

Securing the TLS ecosystem with Certificate Transparency

A Curse and a Blessing

Article from ADMIN 60/2020
By
With the need for home offices during the pandemic lockdown, provisional solutions instituted on the fly during the transition from office to home require more permanent solutions, especially for securing TLS connections on the Internet.

Certificate Transparency further secures the TLS ecosystem on the Internet by identifying unauthorized certificates. This transparency, however, offers attackers an opportunity to search for services (e.g., video conferencing systems) that are unprotected on the network. Administrators need to be aware that, thanks to Certificate Transparency, supposedly confidential domains or subdomains are published as soon as a certificate is issued for them.

The preventive measures that were implemented this year to protect people against COVID-19 have unexpectedly turned IT landscapes in many countries upside down. All of a sudden, home offices that had previously not been allowed in corporations were now necessary. In view of the lack of alternatives, many managers and IT departments had to establish new processes quickly and expand existing infrastructures. In the heat of the moment, many new services were set up, initially to test the possibilities.

Many of the new installations were in the area of tele- and video conferencing systems and have remained in operation as permanent provisional solutions – secured with a Let's Encrypt certificate, but without any further protection and often even usable without a login. Because the service was not linked to anything and was only used internally, many administrators – for reasons of ease of use and because they had many other urgent tasks – decided not to change this state by, for example, securing the services in a sensible way during the transition.

Identifying Spoofed Certificates

Recent years have seen a great deal of flux in the TLS certificate ecosystem. The Let's Encrypt service revolutionized the entire certificate market in 2014. Without too much setup overhead and without any costs, administrators can use this service to secure the communication of their web services. According to the Censys website

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lead Image © Amy Walters, 123RF.com
    Hardening network services with DNS
    The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.
    more »
  • Lead Image © vlue, 123RF.com
    Windows security with public key infrastructures
    A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure.
    more »
  • Lead Image © Jennifer Huls, 123RF.com
    Certificate security
    Use public key pinning to map certificates to specific domains.
    more »
  • Lead Image © Stuart Miles, 123RF.com
    Obtain certificates with acme.sh
    We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels.
    more »
  • Lead Image © nerhuz, 123RF.com
    Transport Encryption with DANE and DNSSEC
    Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.
    more »
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=