Certificate Authority certificates are generally bundled in with the application that they're used with, but how can you automatically update them securely?
In PHP, it is recommended to use https://curl.haxx.se/ca/cacert.pem along with cURL, which is safe if you've pre-bundled it, but that URL does not support HTTPS, so it is perfectly possible for a middle-man attack to spoof different certs.
This is related to the problem of secure code delivery , and consequently I suspect the solution to that would also solve this.
Bug the folks at Mozilla to GPG sign certdata.txt , verify the signatures on your end, and then use the same Perl script that the Curl team uses to build your own .pem file. Cut out the middleman.
Note : If the folks at curl.haxx.se
aren't able to set up HTTPS, I don't know how much luck the community would have in convincing them to set up this authenticity process.
This would prevent someone from interfering with your communications with curl.haxx.se
, while also preventing someone who hacked curl.haxx.se
from serving a poisoned certificate list to end users. By advertising the certificates and timestamps in a decentralized ledger, and providing some mechanism for client-side verification, targeted attacks cease to be feasible.
This would not stop the folks at curl.haxx.se
from turning evil.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.