[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Christian Heutger ch at psw.net
Fri Apr 7 14:21:22 UTC 2017

HPKP is vulnerable, look at https://www.heise.de/security/artikel/Wachsende-Kritik-an-Public-Key-Pinning-fuer-HTTPS-3324703.html (you may use Google Translator) from second headline

Von: Public <public-bounces at cabforum.org> im Auftrag von Ryan Sleevi via Public <public at cabforum.org>
Antworten an: CA/Browser Forum Public Discussion List <public at cabforum.org>
Datum: Freitag, 7. April 2017 um 16:16
An: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Cc: Ryan Sleevi <sleevi at google.com>, CA/Browser Forum Public Discussion List <public at cabforum.org>
Betreff: Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist

On Fri, Apr 7, 2017 at 9:27 AM, Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>> wrote:
Sorry I missed that, but isn’t pinning high risk? I don’t think that any CA would recommend pinning as it is unsupportable; we can’t do anything when it fails. I think Subscribers should review pinning before deploying, https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead.

For what it's worth, many of the complaints in that blog relate to CAs lack of disclosure related to their infrastructure - that's what creates the risks. So if CAs were more technically savvy, and worked to help understand their customers needs, it's very much viable.

I think the value of EV is that those certificates are not issued to attackers. So it would be great if a Subscriber could state that their site only uses EV and that the browser respected that statement.

And customers have that capability - if CAs, particularly their CA, is technically capable and/or transparent. The browser manufacturers have already give you that capability, if you chose to use it.

I also think that this statement might be better to be put in the HSTS header. HSTS is low risk, EV is highly available and stating EV-only would be applicable to most CAs. This allows the Subscriber to move from one CA to another without bricking their site by pinning to a root or intermediate.

I disagree, and was pointing out how you can already accomplish this without requiring new features that accomplish the same as existing features =)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/8f78019c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3400 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/8f78019c/attachment-0003.bin>

More information about the Public mailing list