Securing the TLS ecosystem with Certificate Transparency

A Curse and a Blessing

Conclusions

Certificate Transparency is an important step in securing TLS connections on the Internet. However, I also introduced situations in which publishing domain names could pose a threat, especially if the administrator is not expecting them to be published.

When setting up services, always make sure they are configured securely if the software allows; otherwise, access to the services should be restricted by the web server's own capabilities.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Hardening network services with DNS
    The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.
  • Windows security with public key infrastructures
    A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure.
  • Certificate security
    Use public key pinning to map certificates to specific domains.
  • Obtain certificates with acme.sh
    We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels.
  • Transport Encryption with DANE and DNSSEC
    Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.
comments powered by Disqus