
How To Protect Your Employees From Romance Scams
When reading “romance scam” it’s common that the first thing that comes to mind is falling for the classic …
Certificate pinning is a technique originally designed as a means of preventing man-in-the-middle attacks (MITM), in which a website accepts only authorized (“pinned”) certificates when communicating with the Web server.
This technique specifies which certificates are accepted for a particular website, limiting risk.
HPKP (HTTP Public Key Pinning) started back in 2011, when Google programmed Chrome to accept only the “hard-coded” certificates when attempting to connect domain names to Google.com
When Chrome connected to google.com website, it already knew which CAs to accept. If a certificate from any other CA was presented, the connection would not proceed. This meant that if an attacker managed to convince a publicly-trusted CA into issuing them a certificate for the google.com domain, Chrome would not continue with the connection when trying to access the website.
Fast-forward to 2015, Chrome and Firefox started using the HTTP Public Key Pinning (HPKP) header. The first time a browser connected to a website using HPKP, it recorded the public key from the header, and would only accept that key every time it connected to the site, up until the “max-age” defined in the HPKP header would elapse.
Meanwhile, this technique was also introduced in mobile apps, IoT devices, and other software.
These practices, when implemented correctly, can greatly enhance security. However, when scarcely documented and poorly implemented, they can generate more problems than solutions.
HPKP can offer enhanced control for organizations that wish to be very specific on the certificate-based authentication for their websites. The expectation is that it would thwart attackers from successfully utilize fraudulent certificates in gaining illegitimate access to applications or data through MITM attacks, invalid certificates or compromised CAs.
Pinning, especially with HPKP, is extremely risky and error prone. If you configure your pinning settings incorrectly, you could end up DOS-ing your own website or break connectivity in your application, with limited options for recourse, or until the “max-age” time has elapsed.
Here are a few ways in which pinning can cause harm.
A common (bad) practice with HPKP is to pin the “leaf certificate” (end-entity certificate) public key to a website for 60 days. This means that for the next 60 days, your browser will only accept that certificate during the TLS exchange when accessing that website.
Many sites do not specify backup keys, underestimating the risk of using just one key. If that key is compromised (accidental leak on a GitHub repo, stolen during a data breach or inside attack etc.), then it is game over.
CAs are required to revoke that key. With no other key available, legitimate clients are no longer able to visit the website.
Cryptographic agility is necessary when you’re forced to change certificates with new ones because the current ones will soon expire.
Since pinning is just a fancy word for “hardcoding”, any changes to the certificate requires both an update to the certificate AND an update patch to the application.
Updating applications may not be straightforward, especially on a limited timeline, and those clients that do not install the latest version may no longer be able to access the website.
CAs can revoke certificates with little or no prior warning, which can completely take your website by surprise. Similar to cryptographic agility, you may be left scrambling to update your web app quickly so that users can access it.
Certificate pinning using HPKP has rapidly become widely discredited on the grounds that it carries unacceptable certificate agility costs with little benefits.
As a result, HPKP has been deprecated altogether in 2018 in favor of another header: Expet-CT.
When reading “romance scam” it’s common that the first thing that comes to mind is falling for the classic …
October is recognized every year as the Cybersecurity Awareness Month. This campaign encourages individuals and …
If you’re interested in a complete Security Program without the high costs, a cyber security consultant is the best way to start.
Get started Now