SlideShare a Scribd company logo

Certificate pinning v certificate transparency

Download as PPTX, PDF
D
DianaKhersonskaia

Certificate transparency helps secure mobile apps by ensuring clients only accept publicly logged certificates. It involves certificate authorities submitting certificates to public logs, which clients can check. However, it does not prevent rogue certificates that were publicly logged. SSL pinning provides additional validation by having the app check certificates against ones hardcoded in the app bundle. This ensures connections even if an unauthorized but logged certificate is issued for the domain. Public key pinning is more flexible than certificate pinning but requires extracting the public key from certificates.

1 of 13
Certificate Pinning v Certificate Transparency
iOS Trust Store Usually, we delegate setting up and maintaining TLS sessions to iOS. iOS checks for us if the certificate which server uses is trustworthy or not, by checking the root certificate during SSL handsha And it works well, for example if I try to intercept traffic from your device with a proxy tool, I won’t be able to do it, because this proxy tool generates certificate which is not it iOS trust store.
iOS Trust Store This method has a weakness, however: An attacker can generate a self-signed certificate and include it in the iOS Trust Store or hack a root CA certificate. Or user can install certificate to trust by m Or for example I’m as developer would want to read api calls and change request or respond from server.
Certificate Transparency Certificate Transparency is a standard for monitoring and auditing certificates. Its purpose is to help protect against fraudulently issued certificates. Certificate Transparency involves submitting a server’s public cert to a log that is available to the public. Certificate transparency works by having a network of publicly accessible log servers that provide cryptographic evidence when a certificate authority issues new certificate for any domain. These log servers can then be monitored to look out for suspicious certificates as well as audited to prove the logs are working as expected. The most critical part of certificate transparency is to be alerted to the issuance of new certificates so you can spot mis-issuance promptly. One tool for such monitoring is the open source ct_advisor hosted at https://ctadvisor.lolware.net. Another option is Facebook’s Certificate Transparency Monitoring tool which additionally can help you spot certificates created on domains trying to spoof yours. There are also tools such as Comodo’s Certificate Search tool that make it easy to search for your certificates in the public log files to help verify your expectations.
Certificate Transparency So, here's a quick overview on how it works. First, the certificate authority not only issues a certificate to the server, but it also sends it over to the log. The log then sends a signed proof that the certificate has been included, and the server hands both that and the original certificate over to the application. That means you can validate the pair together. Client (ios app) will check that server certificates are supported by valid, signed Certificate transparency timestamps from at least two Certificate transparency logs trusted by Apple. So application won’t establish connection with a server if certificate doesn’t have an evidence that it was added to a log So, certificate transparency makes it more difficult to launch attacks. If the attacker can get a certificate from an authority that's not participating in public logs, they have no way to get that cryptographic proof that the certificate has been included in the log.
Certificate Transparency Client checks for proof that certificate has been logged • In the certificate itself • In a TLS extension • Delivered via OCSP stapling
Certificate Transparency In a SSL handshake Second one check during SSL handshake. Every time a client connects to that server it sees the certificate and it wants to know whether it's still valid. So, it asks the certificate authority right there in the middle of the SSL handshake, and the certificate authority answers if the certificate still valid or not. This has some issues. One of them is that it's slow. You're right in the middle of this handshake; you're trying to get your resources, you don't want to wait to make your network connection to some other entity, especially if that server is gone down. The other major issue is that it leaks a little bit about whatever activity you're doing online. Your certificate authority gets to see which host names you're connecting to because you're sending a response up each time you connect.
Certificate Transparency OCSP Stapling OCSP stapling resolves a lot of these concerns. So, here's basically how it works. Instead of the client asking, the server asks the certificate authority, and the certificate authority hands a signed response back to the server. Then the server gives both the certificate and a promise that it's valid over to the client, all in line, all in the same handshake.
Certificate Transparency iOS app configuration Read apple documentation for more details on how to use it in iOS. It could be enabled in iOS in plist file with NSRequiresCertificateTransparency flag.
Certificate Transparency Conclusion Certificate transparency helps build secure mobile apps by ensuring a client accepts only publicly logged certificates. However, it does nothing to protect against rogue certificates that were publicly logged.
SSL pinning We use SSL pinning to ensure that the app communicates only with the designated server itself. One of the prerequisites for SSL pinning is saving the target's server SSL certificate within the app bundle. The saved certificate is used when defining the pinned certificate(s) upon session configuration. There is an additional step that can be performed that is called SSL pinning. With SSL pinning, the app can take matters into its own hands to perform additional validation on who it’s talking to, rather than relying on the more general list of trusted CAs. This would ensure that in cases like a CA being hacked, there would be an additional layer of security by the app to validate it’s still actually talking to our servers. SSL Pinning, is the process of associating a host with its certificate or public key. Once you know a host’s certificate or public key, you pin it to that host. In other words, you configure the app to reject all but one or a few predefined certificates or public keys. Whenever the app connects to a server, it compares the server certificate with the pinned certificate(s) or public key(s). If and only if they match, the app trusts the server and establishes the connection. Your mobile app should include the digital certificate or the public key within your app’s bundle. So even if someone issued certificate in trusted authority for your domain, and this certificate was added to a public log, we won’t let the connection to be established because this certificate won’t be the same as in our application.
Certificate or Public key pinning Certificate The certificate is easiest to pin. You can fetch the certificate out of band for the website. When the certificate expires, you would update your application with new certificate. At runtime, you retrieve the website or server's certificate in the callback. Within the callback, you compare the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function. There is a downside to pinning a certificate. If the site rotates its certificate on a regular basis, then your application would need to be updated regularly. For example, Google rotates its certificates, so you will need to update your application about once a month (if it depended on Google services). Even though Google rotates its certificates, the underlying public keys (within the certificate) remain static. Public Key Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate. As with a certificate, the program checks the extracted public key with its embedded copy of the public key. There are two downsides two public key pinning. First, it’s harder to work with keys (versus certificates) since you usually must extract the key from the certificate. Second, the key is static and may violate key rotation policies.
Conclusion • Enable Certificate transparency in the app • Enable Public key pinning as an extra precaution I would say that the easiest step to make is to enable Certificate transparency in the application, as most of trusted Certificates authorities work with public logs already, and it will save our API from

Recommended

Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
Hosted-Engine-4.3-deep-dive
Hosted-Engine-4.3-deep-diveHosted-Engine-4.3-deep-dive
Hosted-Engine-4.3-deep-dive
suncbing1
 
OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo
OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo
OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo
Yahoo!デベロッパーネットワーク
 
OAuth 2.0による認可の流れ
OAuth 2.0による認可の流れOAuth 2.0による認可の流れ
OAuth 2.0による認可の流れ
Takeshi Mikami
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
LeanIX GmbH
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
Salesforce - Sweden, Denmark, Norway
 
Salesforce integration architecture 20200529
Salesforce integration architecture 20200529Salesforce integration architecture 20200529
Salesforce integration architecture 20200529
Hiroki Iida
 

Recommended

Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
Hosted-Engine-4.3-deep-dive
Hosted-Engine-4.3-deep-diveHosted-Engine-4.3-deep-dive
Hosted-Engine-4.3-deep-dive
suncbing1
 
OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo
OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo
OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo
Yahoo!デベロッパーネットワーク
 
OAuth 2.0による認可の流れ
OAuth 2.0による認可の流れOAuth 2.0による認可の流れ
OAuth 2.0による認可の流れ
Takeshi Mikami
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
LeanIX GmbH
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
Salesforce - Sweden, Denmark, Norway
 
Salesforce integration architecture 20200529
Salesforce integration architecture 20200529Salesforce integration architecture 20200529
Salesforce integration architecture 20200529
Hiroki Iida
 
Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overviewali raza
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
Fabrizio Volpe
 
Relationships in Salesforce
Relationships in SalesforceRelationships in Salesforce
Relationships in Salesforce
MST Solutions LLC
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
Mohith Shrivastava
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patterns
usolutions
 
OAuth認証について
OAuth認証についてOAuth認証について
OAuth認証について
Yoshifumi Sato
 
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Simplilearn
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
Self-Sovereign Identity: Ideology and Architecture with Christopher AllenSelf-Sovereign Identity: Ideology and Architecture with Christopher Allen
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
SSIMeetup
 
How SASE can help you move securely from the PSN with VMware and Breeze Networks
How SASE can help you move securely from the PSN with VMware and Breeze NetworksHow SASE can help you move securely from the PSN with VMware and Breeze Networks
How SASE can help you move securely from the PSN with VMware and Breeze Networks
Articulate Marketing
 
Blockchain
BlockchainBlockchain
Blockchain
Venkatesh Jambulingam
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0
Takahiro Sato
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Yury Bondarau
 
Attacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfAttacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdf
ssuser264cc11
 
The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptx
awakish
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync server
Thomas Poett
 

More Related Content

What's hot

Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overviewali raza
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
Fabrizio Volpe
 
Relationships in Salesforce
Relationships in SalesforceRelationships in Salesforce
Relationships in Salesforce
MST Solutions LLC
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
Mohith Shrivastava
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patterns
usolutions
 
OAuth認証について
OAuth認証についてOAuth認証について
OAuth認証について
Yoshifumi Sato
 
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Simplilearn
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
Self-Sovereign Identity: Ideology and Architecture with Christopher AllenSelf-Sovereign Identity: Ideology and Architecture with Christopher Allen
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
SSIMeetup
 
How SASE can help you move securely from the PSN with VMware and Breeze Networks
How SASE can help you move securely from the PSN with VMware and Breeze NetworksHow SASE can help you move securely from the PSN with VMware and Breeze Networks
How SASE can help you move securely from the PSN with VMware and Breeze Networks
Articulate Marketing
 
Blockchain
BlockchainBlockchain
Blockchain
Venkatesh Jambulingam
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0
Takahiro Sato
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Yury Bondarau
 
Attacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfAttacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdf
ssuser264cc11
 

What's hot (20)

Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overview
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devlove
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
 
Relationships in Salesforce
Relationships in SalesforceRelationships in Salesforce
Relationships in Salesforce
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patterns
 
OAuth認証について
OAuth認証についてOAuth認証について
OAuth認証について
 
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
Blockchain Interview Questions And Answers | Blockchain Technology Interview ...
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
 
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
Self-Sovereign Identity: Ideology and Architecture with Christopher AllenSelf-Sovereign Identity: Ideology and Architecture with Christopher Allen
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
 
How SASE can help you move securely from the PSN with VMware and Breeze Networks
How SASE can help you move securely from the PSN with VMware and Breeze NetworksHow SASE can help you move securely from the PSN with VMware and Breeze Networks
How SASE can help you move securely from the PSN with VMware and Breeze Networks
 
Blockchain
BlockchainBlockchain
Blockchain
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0
 
OAuth
OAuthOAuth
OAuth
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
 
Attacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfAttacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdf
 

Similar to Certificate pinning v certificate transparency

The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptx
awakish
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync server
Thomas Poett
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security auditDianne Douglas
 
Extended Validation SSL Certificates, A new standard to inspire trust, improv...
Extended Validation SSL Certificates, A new standard to inspire trust, improv...Extended Validation SSL Certificates, A new standard to inspire trust, improv...
Extended Validation SSL Certificates, A new standard to inspire trust, improv...
CheapSSLsecurity
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
Ram Srivastava
 
Understanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by SymantecUnderstanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by Symantec
CheapSSLsecurity
 
Vps server 14
Vps server 14Vps server 14
Vps server 14
WanetaCuomo35
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
mahesh tawade
 
Thawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for TrustThawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for Trust
RapidSSLOnline.com
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
RapidSSLOnline.com
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
T.Rob Wyatt
 
All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLS
RapidSSLOnline.com
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan84
 
Types of SSL Certificates for Every Business Need
Types of SSL Certificates for Every Business NeedTypes of SSL Certificates for Every Business Need
Types of SSL Certificates for Every Business Need
awakish
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Siena Perry
 

Similar to Certificate pinning v certificate transparency (20)

The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptx
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync server
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security audit
 
Extended Validation SSL Certificates, A new standard to inspire trust, improv...
Extended Validation SSL Certificates, A new standard to inspire trust, improv...Extended Validation SSL Certificates, A new standard to inspire trust, improv...
Extended Validation SSL Certificates, A new standard to inspire trust, improv...
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
 
Understanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by SymantecUnderstanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by Symantec
 
Vps server 14
Vps server 14Vps server 14
Vps server 14
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
 
Thawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for TrustThawte EV SSL: A New Revolution for Trust
Thawte EV SSL: A New Revolution for Trust
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLS
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Types of SSL Certificates for Every Business Need
Types of SSL Certificates for Every Business NeedTypes of SSL Certificates for Every Business Need
Types of SSL Certificates for Every Business Need
 
How does ssl work
How does ssl workHow does ssl work
How does ssl work
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 

Certificate pinning v certificate transparency

  • 1. Certificate Pinning v Certificate Transparency
  • 2. iOS Trust Store Usually, we delegate setting up and maintaining TLS sessions to iOS. iOS checks for us if the certificate which server uses is trustworthy or not, by checking the root certificate during SSL handsha And it works well, for example if I try to intercept traffic from your device with a proxy tool, I won’t be able to do it, because this proxy tool generates certificate which is not it iOS trust store.
  • 3. iOS Trust Store This method has a weakness, however: An attacker can generate a self-signed certificate and include it in the iOS Trust Store or hack a root CA certificate. Or user can install certificate to trust by m Or for example I’m as developer would want to read api calls and change request or respond from server.
  • 4. Certificate Transparency Certificate Transparency is a standard for monitoring and auditing certificates. Its purpose is to help protect against fraudulently issued certificates. Certificate Transparency involves submitting a server’s public cert to a log that is available to the public. Certificate transparency works by having a network of publicly accessible log servers that provide cryptographic evidence when a certificate authority issues new certificate for any domain. These log servers can then be monitored to look out for suspicious certificates as well as audited to prove the logs are working as expected. The most critical part of certificate transparency is to be alerted to the issuance of new certificates so you can spot mis-issuance promptly. One tool for such monitoring is the open source ct_advisor hosted at https://ctadvisor.lolware.net. Another option is Facebook’s Certificate Transparency Monitoring tool which additionally can help you spot certificates created on domains trying to spoof yours. There are also tools such as Comodo’s Certificate Search tool that make it easy to search for your certificates in the public log files to help verify your expectations.
  • 5. Certificate Transparency So, here's a quick overview on how it works. First, the certificate authority not only issues a certificate to the server, but it also sends it over to the log. The log then sends a signed proof that the certificate has been included, and the server hands both that and the original certificate over to the application. That means you can validate the pair together. Client (ios app) will check that server certificates are supported by valid, signed Certificate transparency timestamps from at least two Certificate transparency logs trusted by Apple. So application won’t establish connection with a server if certificate doesn’t have an evidence that it was added to a log So, certificate transparency makes it more difficult to launch attacks. If the attacker can get a certificate from an authority that's not participating in public logs, they have no way to get that cryptographic proof that the certificate has been included in the log.
  • 6. Certificate Transparency Client checks for proof that certificate has been logged • In the certificate itself • In a TLS extension • Delivered via OCSP stapling
  • 7. Certificate Transparency In a SSL handshake Second one check during SSL handshake. Every time a client connects to that server it sees the certificate and it wants to know whether it's still valid. So, it asks the certificate authority right there in the middle of the SSL handshake, and the certificate authority answers if the certificate still valid or not. This has some issues. One of them is that it's slow. You're right in the middle of this handshake; you're trying to get your resources, you don't want to wait to make your network connection to some other entity, especially if that server is gone down. The other major issue is that it leaks a little bit about whatever activity you're doing online. Your certificate authority gets to see which host names you're connecting to because you're sending a response up each time you connect.
  • 8. Certificate Transparency OCSP Stapling OCSP stapling resolves a lot of these concerns. So, here's basically how it works. Instead of the client asking, the server asks the certificate authority, and the certificate authority hands a signed response back to the server. Then the server gives both the certificate and a promise that it's valid over to the client, all in line, all in the same handshake.
  • 9. Certificate Transparency iOS app configuration Read apple documentation for more details on how to use it in iOS. It could be enabled in iOS in plist file with NSRequiresCertificateTransparency flag.
  • 10. Certificate Transparency Conclusion Certificate transparency helps build secure mobile apps by ensuring a client accepts only publicly logged certificates. However, it does nothing to protect against rogue certificates that were publicly logged.
  • 11. SSL pinning We use SSL pinning to ensure that the app communicates only with the designated server itself. One of the prerequisites for SSL pinning is saving the target's server SSL certificate within the app bundle. The saved certificate is used when defining the pinned certificate(s) upon session configuration. There is an additional step that can be performed that is called SSL pinning. With SSL pinning, the app can take matters into its own hands to perform additional validation on who it’s talking to, rather than relying on the more general list of trusted CAs. This would ensure that in cases like a CA being hacked, there would be an additional layer of security by the app to validate it’s still actually talking to our servers. SSL Pinning, is the process of associating a host with its certificate or public key. Once you know a host’s certificate or public key, you pin it to that host. In other words, you configure the app to reject all but one or a few predefined certificates or public keys. Whenever the app connects to a server, it compares the server certificate with the pinned certificate(s) or public key(s). If and only if they match, the app trusts the server and establishes the connection. Your mobile app should include the digital certificate or the public key within your app’s bundle. So even if someone issued certificate in trusted authority for your domain, and this certificate was added to a public log, we won’t let the connection to be established because this certificate won’t be the same as in our application.
  • 12. Certificate or Public key pinning Certificate The certificate is easiest to pin. You can fetch the certificate out of band for the website. When the certificate expires, you would update your application with new certificate. At runtime, you retrieve the website or server's certificate in the callback. Within the callback, you compare the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function. There is a downside to pinning a certificate. If the site rotates its certificate on a regular basis, then your application would need to be updated regularly. For example, Google rotates its certificates, so you will need to update your application about once a month (if it depended on Google services). Even though Google rotates its certificates, the underlying public keys (within the certificate) remain static. Public Key Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate. As with a certificate, the program checks the extracted public key with its embedded copy of the public key. There are two downsides two public key pinning. First, it’s harder to work with keys (versus certificates) since you usually must extract the key from the certificate. Second, the key is static and may violate key rotation policies.
  • 13. Conclusion • Enable Certificate transparency in the app • Enable Public key pinning as an extra precaution I would say that the easiest step to make is to enable Certificate transparency in the application, as most of trusted Certificates authorities work with public logs already, and it will save our API from

Editor's Notes

  1. Usually, we delegate setting up and maintaining TLS sessions to iOS. iOS checks for us if the certificate which server uses is trustworthy or not, by checking the root certificate during SSL handshake. This certificate should be issued by trustworthy Certificate Authority organisation, who are responsible for issuing SSL certificates. This means that when the app tries to establish a connection, it doesn’t determine which certificates to trust and which not to. The app relies entirely on the certificates that the iOS Trust Store provides. And it works well, for example if I try to intercept traffic from your device with a proxy tool, I won’t be able to do it, because this proxy tool generates certificate which is not it iOS trust store.
  2. This method has a weakness, however: An attacker can generate a self-signed certificate and include it in the iOS Trust Store or hack a root CA certificate. Or user can install certificate to trust by mistake. This allows such an attacker to set up a man-in-the-middle attack and capture the transmitted data moving to and from your app. Or for example I’m as developer would want to read api calls and change request or respond from server.
  3. Certificate Transparency is a standard for monitoring and auditing certificates. Its purpose is to help protect against fraudulently issued certificates. Certificate Transparency involves submitting a server’s public cert to a log that is available to the public. Certificate transparency works by having a network of publicly accessible log servers that provide cryptographic evidence when a certificate authority issues new certificate for any domain. These log servers can then be monitored to look out for suspicious certificates as well as audited to prove the logs are working as expected. The most critical part of certificate transparency is to be alerted to the issuance of new certificates so you can spot mis-issuance promptly. One tool for such monitoring is the open source ct_advisor. Another option is Facebook’s Certificate Transparency Monitoring tool which additionally can help you spot certificates created on domains trying to spoof yours. There are also tools such as Certificate Search tool that make it easy to search for your certificates in the public log files to help verify your expectations. Every certificate should be added into public logs, so anybody could check if there are new certificates were issued for a domain.
  4. So, here's a quick overview on how it works. First, the certificate authority not only issues a certificate to the server, but it also sends it over to the log. The log then sends a signed proof that the certificate has been included, and the server hands both that and the original certificate over to the application. That means you can validate the pair together. Client (ios app) will check that server certificates are supported by valid, signed Certificate transparency timestamps from at least two Certificate transparency logs trusted by Apple. So application won’t establish connection with a server if certificate doesn’t have an evidence that it was added to a log So, certificate transparency makes it more difficult to launch attacks. If the attacker can get a certificate from an authority that's not participating in public logs, they have no way to get that cryptographic proof that the certificate has been included in the log. So, they hand over the certificate alone and the client can reject it. Alternatively, if they are using a certificate authority that's participating, then that tainted certificate gets logged and is publically visible, and that gives you an opportunity to revoke the certificate at the certificate authority level.
  5. There are 3 ways for client to check that certificate was added to public logs. Proof can be embedded in the certificate itself, or it can get handed over in the SSL handshake, or it can be delivered by OCSP stapling. First one is server sends information that certificate has been logged in the certificate it self. It’s not very secure because it doesn’t check is certificate was revoked.
  6. Second one check during SSL handshake. Every time a client connects to that server it sees the certificate and it wants to know whether it's still valid. So, it asks the certificate authority right there in the middle of the SSL handshake, and the certificate authority answers if the certificate still valid or not. This has some issues. One of them is that it's slow. You're right in the middle of this handshake; you're trying to get your resources, you don't want to wait to make your network connection to some other entity, especially if that server is gone down. The other major issue is that it leaks a little bit about whatever activity you're doing online. Your certificate authority gets to see which host names you're connecting to because you're sending a response up each time you connect.
  7. OCSP stapling resolves a lot of these concerns. So, here's basically how it works. Instead of the client asking, the server asks the certificate authority, and the certificate authority hands a signed response back to the server. Then the server gives both the certificate and a promise that it's valid over to the client, all in line, all in the same handshake.
  8. It could be enabled in iOS in plist file with NSRequiresCertificateTransparency flag.
  9. Certificate transparency helps build secure mobile apps by ensuring a client accepts only publicly logged certificates. However, it does nothing to protect against rogue certificates that were publicly logged.
  10. There is an additional step that can be performed that is called SSL pinning. With SSL pinning, the app can take matters into its own hands to perform additional validation on who it’s talking to, rather than relying on the more general list of trusted CAs. This would ensure that in cases like a CA being hacked, there would be an additional layer of security by the app to validate it’s still actually talking to our servers. SSL Pinning, is the process of associating a host with its certificate or public key. Once you know a host’s certificate or public key, you pin it to that host. In other words, you configure the app to reject all but one or a few predefined certificates or public keys. Whenever the app connects to a server, it compares the server certificate with the pinned certificate(s) or public key(s). If and only if they match, the app trusts the server and establishes the connection. Your mobile app should include the digital certificate or the public key within your app’s bundle. So even if someone issued certificate in trusted authority for your domain, and this certificate was added to a public log, we won’t let the connection to be established because this certificate won’t be the same as in our application.
  11. Certificate The certificate is easiest to pin. You can fetch the certificate out of band for the website. When the certificate expires, you would need to update your application. At runtime, you retrieve the website or server's certificate in the callback. Within the callback, you compare the retrieved certificate with the certificate embedded within the program. If the comparison fails, then SSL handshake fails. There is a downside to pinning a certificate. You will need to update your application every time you issue new certificate. Otherwise your application won’t work ones old one expires. Public Key Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate. As with a certificate, the program checks the extracted public key with its embedded copy of the public key. There are two downsides two public key pinning. First, it’s harder to work with keys (versus certificates) since you usually must extract the key from the certificate. Second, the key is static and may violate key rotation policies. And, of course, nothing is 100% secure. There is a way to break through this checks too. The hacker can reverse-engineere application and update public key or just to change the result of certificate check function from no to yes. And there are ways to protect ourselves from this too but it is not a topic of todays discussion.
  12. I would say that the easiest step to make is to enable Certificate transparency in the application, as most of trusted Certificates authorities work with public logs already, and it will save our API from being exposed, and users from man in the middle attacks. Also we can Implement Public kay pinning as an extra precaution, so to me sure that no one tries to create a certificate for our domain in trusted Certificate Authority.