Lead Image © Jennifer Huls, 123RF.com
Certificate security
Nailed
Certificates form the basis for secure communications on the web. However, what if the proposed certificate for a website comes from a trusted certificate authority (CA) that has been surreptitiously compromised by fraudsters and is now used in the context of attacks? Public key pinning seeks to close this gap. It involves extracting the underlying public key of a certificate to resolve that certificate to a specific domain. The security tip described here shows how to implement the procedure.
Currently, numerous IT security experts are faced by this topic: HTTP Public Key Pinning (HPKP). Currently still a draft, the HTTPS extension will soon be standardized by the Internet Engineering Task Force (IETF). In the future, many problems relating to issued certificates and CAs could be fixed with HPKP. The basic principle of common certification authorities is very simple: CAs typically issue certificates, which are then used to secure websites using TLS. A certificate ensures, for example, that the user is indeed connected with the correct web address and not with a spoofed website when connecting to a specific domain (e.g., www.linuxmagazine.com ).
In the recent past, however, many spoofed certificates were issued and attackers were able to intercept supposedly secure communications unnoticed. The basic problem is that, by default, huge numbers of CAs are anchored in various browsers or the operating system itself. These CAs are typically trusted automatically, which means that each CA could issue fake certificates at will, that would in turn be considered trustworthy.
It is precisely here that a new approach (RFC 7469) enters the scene, geared to safeguard the world of SSL/TLS encryption. To be specific, this is an extension of the HTTP protocol. With the help of public key pinning, a host or an operator of publicly accessible systems or services can determine which certificates a browser should classify as trustworthy for a domain in
...
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
SSL/TLS best practices for websites
SSL and TLS are very complex technologies. If you want to avoid wading through cryptography manuals to harden your HTTPS web server, read on for practical recommendations on establishing, securing, and optimizing your SSL/TLS configuration. -
Security after Heartbleed – OpenSSL and its alternatives
The Heartbleed bug shocked the security community and seriously damaged the reputation of OpenSSL. Luckily, alternatives such as LibreSSL, PolarSSL, and GnuTLS are waiting in the wings. -
Many approaches help secure a web server
We submit an Apache web server to the Qualys SSL Server Test and look at how to protect against data theft with a combination of TLS by way of Let's Encrypt, SELinux or AppArmor, a firewall, and restraining your web server's verbosity. -
Manage OpenVPN keys with Easy-RSA
The Easy-RSA tool that comes with OpenVPN provides trouble-free open source PKI management. -
Encrypting DNS traffic on Linux with DoT
Prevent attackers from spying on DNS communication or manipulating responses by encrypting your DNS traffic on Linux with the DNS-over-TLS standard and the help of systemd-resolved.