Securely updating Certificate Authority Certificates
Question
Certificate Authority certificates are generally bundled in with the application that they're used with, but how can you automatically update them securely?
In PHP, it is recommended to use https://curl.haxx.se/ca/cacert.pem along with cURL, which is safe if you've pre-bundled it, but that URL does not support HTTPS, so it is perfectly possible for a middle-man attack to spoof different certs.
1 answers
solution1
1 ACCPTED 2015-10-04 08:21:41
This is related to the problem of secure code delivery , and consequently I suspect the solution to that would also solve this.
Practical Solution for Today
Bug the folks at Mozilla to GPG sign certdata.txt , verify the signatures on your end, and then use the same Perl script that the Curl team uses to build your own .pem file. Cut out the middleman.
Hypothetical Solution for Tomorrow
Note : If the folks at curl.haxx.se aren't able to set up HTTPS, I don't know how much luck the community would have in convincing them to set up this authenticity process.
- Transport Layer Security should be mandatory.
- Digital signatures ( GnuPG , minisign , etc.) should be used.
- The signatures and their timestamps should be advertised in a blockchain (eg Bitcoin), or a system like Google's certificate transparency .
This would prevent someone from interfering with your communications with curl.haxx.se , while also preventing someone who hacked curl.haxx.se from serving a poisoned certificate list to end users. By advertising the certificates and timestamps in a decentralized ledger, and providing some mechanism for client-side verification, targeted attacks cease to be feasible.
This would not stop the folks at curl.haxx.se from turning evil.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.