IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Adam Langley <agl@google.com> Tue, 13 September 2011 08:57 UTC

Return-Path: <agl@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BD421F8B9B for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 01:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.917
X-Spam-Level:
X-Spam-Status: No, score=-105.917 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NG5Vz+RVXnlS for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 01:57:13 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 9965E21F850E for <websec@ietf.org>; Tue, 13 Sep 2011 01:57:13 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id p8D8xHXO021540 for <websec@ietf.org>; Tue, 13 Sep 2011 01:59:18 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1315904358; bh=ro9aZSLOagKNBfPabm4eULdpEoc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=RV8OCLFzLtcthGsUc1/abY2iMvfzadvOrf2mpx3Ee3Zh+Eaw5v+XxEpsgiBrQ0KOG LxvSlzkqm0fWydWxxCvHA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=Vkc03V+ueJ//csDOl5O3+zzb554b+GMNYGWpqDReV88GKXIarWdjU8a3Q5563Dhig Dm6Si/hOesKEqdtDEx2Rg==
Received: from yie13 (yie13.prod.google.com [10.243.66.13]) by wpaz9.hot.corp.google.com with ESMTP id p8D8xEIJ019660 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <websec@ietf.org>; Tue, 13 Sep 2011 01:59:16 -0700
Received: by yie13 with SMTP id 13so347318yie.11 for <websec@ietf.org>; Tue, 13 Sep 2011 01:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=shwDbREn3jNTIc+qWH7GDODHuZQIu6zSIKxEqKesP5I=; b=eAcYiB0xCHiEtVorSuSwrgN+Bndq8q8wOsyV3s0DScFtBD8jpaacKMwzRLDGDWe999 5hM9wl0eB2VrOyJ/r8kQ==
Received: by 10.231.65.72 with SMTP id h8mr9038969ibi.47.1315904353368; Tue, 13 Sep 2011 01:59:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.65.72 with SMTP id h8mr9038957ibi.47.1315904353091; Tue, 13 Sep 2011 01:59:13 -0700 (PDT)
Received: by 10.231.19.137 with HTTP; Tue, 13 Sep 2011 01:59:12 -0700 (PDT)
In-Reply-To: <86A71F95-AAFF-4A09-853E-3888962C4930@checkpoint.com>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <498A0E83-7C80-4226-9D69-7A7E93D8C929@bbn.com> <86A71F95-AAFF-4A09-853E-3888962C4930@checkpoint.com>
Date: Tue, 13 Sep 2011 04:59:12 -0400
Message-ID: <CAL9PXLxcg4jM=4ox_CMjtK_WD_AteiuciVQr7JLfL-C1AjJwxA@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: Chris Evans <cevans@google.com>, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 08:57:14 -0000

On Tue, Sep 13, 2011 at 1:53 AM, Yoav Nir <ynir@checkpoint.com> wrote:
> I can think of two reasons.

You're basically right. Quoting from my
http://www.imperialviolet.org/2011/05/04/pinning.html

"In general, hashing certificates is the obvious solution, but the
wrong one. The problem is that CA certificates are often reissued:
there are multiple certificates with the same public key, subject name
etc but different extensions or expiry dates. Browsers build
certificates chains from a pool of certificates, bottom up, and an
alternative version of a certificate might be substituted for the one
that you expect.

For example, StartSSL has two root certificates: one signed with SHA1
and the other with SHA256. If you wished to pin to StartSSL as your
CA, which certificate hash would you use? You would have to use both,
but how would you know about the other root if I hadn't just told you?

Conversely, public key hashes must be correct:

Browsers assume that the leaf certificate is fixed: it's always the
starting point of the chain. The leaf certificate contains a signature
which must be a valid signature, from its parent, for that
certificate. That implies that the public key of the parent is fixed
by the leaf certificate. So, inductively, the chain of public keys is
fixed, modulo truncation.

The only sharp edge is that you mustn't pin to a cross-certifying
root. For example, GoDaddy's root is signed by Valicert so that older
clients, which don't recognise GoDaddy as a root, still trust those
certificates. However, you wouldn't want to pin to Valicert because
newer clients will stop their chain at GoDaddy."


Public key hashes are hashes of the SubjectPublicKeyInfo, which should
be nailed down in any spec.

There is the possibility of a cert getting reissued with a difference
SPKI, but the same effective public key. (i.e. omitting a NULL
AlgorithmIdentifier.Parameters). However, I'm not aware of any
instances of this actually happening.


Cheers

AGL

v2.23.0 | Report a Bug | By Email