Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Do you trust that certificate?

1,067 views

Published on

I hope to communicate to developers of web apps, especially of those handles payment information, that they should be aware of what they trust when developing an app. This should make the app more secure and make the developers aware of when to update gems or certs.

A rabbit*1 presentation presented as a Lighting Talk at RubyKaigi 2015*2.

- *1 http://rabbit-shocker.org/
- *2 http://rubykaigi.org/2015/presentations/lt

URLs
- https:/www.hyuki.com/cr/
- https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
- https://ja.wikipedia.org/wiki/SHA-1
- https://aws.amazon.com/security/security-bulletins/aws-to-switch-to-sha256-hash-algorithm-for-ssl-certificates/
- https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Do you trust that certificate?

  1. 1. Do you trust that certificate?
  2. 2. @zundan
  3. 3. @zundan
  4. 4. @zundan
  5. 5. Important!
  6. 6. Introduction to modern cryptography
  7. 7. www.hyuki.com/cr/
  8. 8. Transport Layer Security
  9. 9. Secure Socket Layer
  10. 10. TLS/SSL
  11. 11. https://
  12. 12. A web application
  13. 13. Receives requests
  14. 14. Calls external resources
  15. 15. That handles secret information
  16. 16. How does app trust them?
  17. 17. PKI
  18. 18. Public-key nfrastructure
  19. 19. Server certificate
  20. 20. Signed by Certificate Authority
  21. 21. Certificate chain ssl.zunda.ninja:443 | COMODO RSA Validation Secure Server CA | COMODO RSA Certification Authority | | AddTrust External CA Root
  22. 22. One day
  23. 23. Error
  24. 24. Error SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
  25. 25. I did not change anything!
  26. 26. but
  27. 27. Something outside has changed
  28. 28. Error SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
  29. 29. Certificate chain ssl.zunda.ninja:443 | [NEW] Some Server CA | [NEW] Some Certification Authority | | [NEW] Unknown CA Root
  30. 30. 2014-09 1024 bit hash
  31. 31. 2015-09 SHA-1
  32. 32. Replace with new certs
  33. 33. On new CA certs
  34. 34. That app does not know
  35. 35. Certificate chain ssl.zunda.ninja:443 | [NEW] Some Server CA | [NEW] Some Certification Authority | | [????]
  36. 36. Error SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
  37. 37. So ...
  38. 38. $ bundle update
  39. 39. well ...
  40. 40. Include new CA cert in app
  41. 41. Monkey patch to use it
  42. 42. Net::HTTP module Net class HTTP alias_method :original_use_ssl=, :use_ssl= def use_ssl=(flag) self.ca_file = File.dirname(__FILE__) + '/../../certs/cacert.pem' self.verify_mode = OpenSSL::SSL::VERIFY_PEER self.original_use_ssl = flag end end end
  43. 43. ActiveMerchant module ActiveMerchant class Connection def configure_ssl(http) return unless endpoint.scheme == "https" http.use_ssl = true if verify_peer http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = File.dirname(__FILE__) + '/../../certs/cacert.pem' else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end end end end
  44. 44. System's CA certs
  45. 45. Where are they?
  46. 46. System's certs $ openssl version -d OPENSSLDIR: "/usr/lib/ssl" $ ls /usr/lib/ssl certs@ misc/ openssl.cnf@ private@ $ ls -l /usr/lib/ssl/certs ... /usr/lib/ssl/certs -> /etc/ssl/certs/
  47. 47. openssl/ssl.rb If the verify_mode is not VERIFY_NONE and ca_file, ca_path and cert_store are not set then the system default certificate store is used.
  48. 48. openssl/ssl.rb module OpenSSL module SSL class SSLContext def set_params(params={}) # snip if self.verify_mode != OpenSSL::SSL::VERIFY_NONE unless self.ca_file or self.ca_path or self.cert_store self.cert_store = OpenSSL::X509::Store.new end end return params end end end end
  49. 49. System's certs module ActiveMerchant class Connection def configure_ssl(http) return unless endpoint.scheme == "https" http.use_ssl = true if verify_peer http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_path = nil http.ca_file = nil else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end end end end
  50. 50. Anyway
  51. 51. Remember what we trust
  52. 52. What are coming?
  53. 53. 2016-06-01
  54. 54. Symantec certs on Google products?
  55. 55. Will there be updates?
  56. 56. On Ubuntu : 2013-01-19 2013-06-10 2013-09-06 2014-03-25 2014-10-19 2015-04-26 launchpad - ca-certificates
  57. 57. On ActiveMerchant 2007-03-03 2011-09-15 2015-01-16 activemerchant - active_merchant
  58. 58. Remember and be prepared!
  59. 59. Once more
  60. 60. www.hyuki.com/cr/
  61. 61. CRL
  62. 62. Certificate Revocation List
  63. 63. How are we updating this?
  64. 64. SSL and TLS1.0 will be disabled
  65. 65. PCI Compliance
  66. 66. Payment Card Industry
  67. 67. Remember what we trust
  68. 68. URLs 暗号技術入門 Phasing out Certificates with 1024-bit RSA Keys SHA-1 AWS to Switch to SHA256 Hash Algorithm for SSL Certificates Sustaining Digital Certificate
  69. 69. CC BY-ND 4.0 Presented as a lightning talk in RubyKaigi 2015 on 2015-12-12 Copyright 2015 by zunda <zundan@gmail.com>

×