WingNews logo WingNews
top | item 10182558

(no title)

sarahj | 10 years ago

Pinning necessarily has to restrict the times a certificate can be changed because otherwise we have to solve a different problem "How can I tell this new certificate is a good certificate".

You have proposed a solution to that second problem, let's look at the threat model:

You adversary is:

* Capable of forcing or otherwise being able to create valid certificates.

* Has the capability to MITM nodes in a network.

The solution you have provided adds an additional hurdle for the adversary:

* must also be able to subvert your CA (or more generally, a specific CA - it doesn't actually matter if you or someone else controls it - what matters is it is a specific root certificate).

So the browser, now TOFU'ing the initial certificate makes a note of the current certificate (and pins it) as well as the secondary signing CA (and also pins that).

When you want to rotate certificates you have your new cert signed by the two CA's, one of which has to be the pinned CA.

I actually think this is a fairly elegant solution (for the operator), although it does come with some fairly large assumptions:

* If your adversary is large enough to be able to corrupt multiple CA's (say a federal government) - then they are powerful enough to corrupt all your CA's (even you - although, to be fair, if the can force you to do anything then the MITM capability is less interesting). So while this scheme benefits the operator, it provides negligible benefit to the client.

* You are reliant on the secondary CA to remain static (or having a backup CA) - this is the same problem as the original simply shifting the capability up one level - maybe this is OK.

Overall, this approach does provide more flexibility to the operator of the site - but provides no to negligible additional security on the client side (it upgrades the capability from being able to mimic any CA to being ale to mimic a specific CA), and may even put clients at greater risk - since there is now an additional avenue of certificate rotation which means extra code, extra verification to mess up etc.

These were a few thought that jumped into my brain - I would like to see a more detailed threat model / paper exploring some new schemes as I think there are wins in this space that haven't been realized yet - and there maybe improvements / clarifications which can improve this model further.

discuss

order

No comments yet.