SSL or Code Signing Certificate
Question
We have to make sure that our REST services are secure and we are thinking about using a SSL certificate for that , however some one is suggesting using code signing certificate and I am not sure whether it will provide HTTPS protocol and secure client/server communication . (point to point) There is not much information available on internet , it will help if some one can elaborate it and let me know if code signing certificate will also use https in the browser to make secure client/server communication.
Thanks in advance.
2 answers
solution1
2 ACCPTED 2016-05-05 08:09:13
... however some one is suggesting using code signing certificate and I am not sure whether it will provide HTTPS protocol and secure client/server communication .
Code signing won't help. The web security model is not setup that way. Some good reading on the subject is the STREWS web security report . It highlights almost all security features, but it often omits security gaps (ie, it fails to document risk).
Under the current model, the browser executes code regardless of where it came from. It could be HTTPS, HTTP or injected by a bad guy. As the "browser as a platform" expands and becomes more fully featured to align with native applications, the current model does not meet needs. That's because some APIs deal with sensitive data, like Camera, Microphone and Location, so something more than "any code can run from anywhere" is needed.
The web's model is moving towards Secure Origins to authorize code to run when it intersects with sensitive data. The only thing you need for a secure origin is a server certificate to identify the host. Also see Prefer Secure Origins For Powerful New Features in Chrome and the various discussions on the IETF's web-app-sec mailing list.
Now would be a good time to mention the web is making the leap that Authentication is Authorization . An X509 certificate only identifies the server; it does not authorize any privilege per se . The CA that certifies the identity of the host does not make those claims or warrant anything remotely close to it. And Public Key Pinning with Overrides breaks the presumptions of Secure Contexts .
Authentication is Authorization is the same mistake made by Java with its applets and the sandbox. Treating authorization as if it was authentication got so bad with Java that the recommendation became "don't ask for any permissions because it allows you to break out of the sandbox (and only malware asks for permissions)". For more reading, see Java's Losing Security Legacy .
solution2
0 2016-05-05 10:31:07
Someone doesn't know what they are talking about. SSL endpoints are secured with SSL certificates. Code is secured with code signing certificates. Never the twain shall meet.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.