[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Ryan Sleevi sleevi at google.com
Fri Apr 7 14:23:55 UTC 2017


That's just a press summary of what Bruce linked.

It sounds like folks don't understand Ivan's criticisms or the problems
with HPKP. Since this list is primarily targetted towards CAs, I encourage
you to reach out to Ivan (or if he still lurks) about how CAs could make
HPKP more viable, if they're interested. I've already described how CAs are
uniquely qualified to provide that assistance. It's the lack of that
assistance that has created the significant risks. That's not something
Gerv or Jody and I can solve - that's on CAs.

This is no different than, for example, CAs needing to disclose what CAA
domains they accept, as otherwise, CAA cannot be (effectively) used.

On Fri, Apr 7, 2017 at 10:21 AM, Christian Heutger <ch at psw.net> wrote:

> HPKP is vulnerable, look at https://www.heise.de/security/
> artikel/Wachsende-Kritik-an-Public-Key-Pinning-fuer-HTTPS-3324703.html
> (you may use Google Translator) from second headline
>
>
>
> *Von: *Public <public-bounces at cabforum.org> im Auftrag von Ryan Sleevi
> via Public <public at cabforum.org>
> *Antworten an: *CA/Browser Forum Public Discussion List <
> public at cabforum.org>
> *Datum: *Freitag, 7. April 2017 um 16:16
> *An: *Bruce Morton <Bruce.Morton at entrustdatacard.com>
> *Cc: *Ryan Sleevi <sleevi at google.com>, CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> *Betreff: *Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist
>
>
>
>
>
>
>
> On Fri, Apr 7, 2017 at 9:27 AM, Bruce Morton <
> Bruce.Morton at entrustdatacard.com> wrote:
>
> Sorry I missed that, but isn’t pinning high risk? I don’t think that any
> CA would recommend pinning as it is unsupportable; we can’t do anything
> when it fails. I think Subscribers should review pinning before deploying,
> https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
> .
>
>
>
> For what it's worth, many of the complaints in that blog relate to CAs
> lack of disclosure related to their infrastructure - that's what creates
> the risks. So if CAs were more technically savvy, and worked to help
> understand their customers needs, it's very much viable.
>
>
>
> I think the value of EV is that those certificates are not issued to
> attackers. So it would be great if a Subscriber could state that their site
> only uses EV and that the browser respected that statement.
>
>
>
> And customers have that capability - if CAs, particularly their CA, is
> technically capable and/or transparent. The browser manufacturers have
> already give you that capability, if you chose to use it.
>
>
>
> I also think that this statement might be better to be put in the HSTS
> header. HSTS is low risk, EV is highly available and stating EV-only would
> be applicable to most CAs. This allows the Subscriber to move from one CA
> to another without bricking their site by pinning to a root or intermediate.
>
>
>
> I disagree, and was pointing out how you can already accomplish this
> without requiring new features that accomplish the same as existing
> features =)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/74222a0d/attachment-0003.html>


More information about the Public mailing list