Add to collection(s) Add to saved
  1. Math

Understanding SSL for Apps

Understanding SSL for Apps
Brook R. Chelmo
Principal Product Marketing Manager
SSL for Apps – Brook R. Chelmo
1
Introduction
• SSL/TLS is a core technology; critical to secure communications
• The greatest challenge is not technology but implementation
• Researchers found widespread errors in non-browser apps
• Take the necessary steps to create a stronger & more
trustworthy SSL implementation
SSL for Apps – Brook R. Chelmo
2
Chain Building
• During the SSL handshake the server will return one or more
certificates
SSL for Apps – Brook R. Chelmo
3
Chain Building
• During the SSL handshake the server will return one or more
certificates.
• Misconfigured web servers may return more or fewer
certificates than what is necessary.
SSL for Apps – Brook R. Chelmo
4
Chain Building
• During the SSL handshake the server will return one or more
certificates.
• Misconfigured web servers may return more certificates than
what is necessary.
• You may find a pointer to the certificate’s issuing certificate in
the caIssuers entry in its authorityInfoAccess extension.
• NOTE: Ignore self-signed certificates.
SSL for Apps – Brook R. Chelmo
5
Build a Certificate Chain
• Determine the end-entity SSL certificate by building a certificate
chain.
• The AuthorityKeyIdentifier or Issuer Distinguished Name must
match the SubjectKeyIdentifier or Subject Distinguished Name.
Chain of Trust
AKI
AKI
SSL for Apps – Brook R. Chelmo
SKI
Root CA
SKI
Intermediate CA
Chained
Hierarchy
End Entity Certs
6
Build a Certificate Chain
• Verify that the chain from end-entity to intermediate to root is
valid.
SSL for Apps – Brook R. Chelmo
7
3 Scenarios
Consider which certificates you will trust. Three Options:
1. Trust one certificate.
2. Allow any End-Entity SSL certificate signed by a particular trusted
intermediate. Pick only one trusted root and avoid trusting all end-entity
certificates that chain up to that root.
3. Require the end-entity to chain up to a certain trusted root and be signed
by an intermediate certificate with a specific common name.
SSL for Apps – Brook R. Chelmo
8
The 5 End-Entity & Intermediate Checks
1. Note that strings in certificates are stored as a byte length
followed by that number of bytes. Don’t assume they’re nullterminated. There may also be different types of encoding
such as UTF-8.
2. Check the validity against an accurate time source.
3. Check for either a crlDistributionPoints or authorityInfoAccess
extension.
4. The app must be able to recognize & understand “critical”
extensions.
5. Check the certificatePolicies extension.
SSL for Apps – Brook R. Chelmo
9
The 4 Additional End-Entity Checks
1. Verify the FQDN or IP address appears in the Common Name
or the SAN extension (newer certificates).
1.
Take into account proper wildcards
2.
Reject the certificate if it has more than one common name.
3.
IDN certificates should contain a punycode Unicode domain name in
the Common Name or SAN
2. If it has a basicConstraints extension, check that the cA flag is
set to “false” and the pathLenContraints is set to “zero”
3. If the certificate has a keyUsage extension, check that the
digitalSignature and keyEncipherments bits are set.
SSL for Apps – Brook R. Chelmo
10
The 4 Additional End-Entity Checks
4. If the certificate contains an extKeyUsage extension, the
extension value must be either the special
anyExtendedKeyUsage value, or if it contains special purpose
OIDs, then id-kp-serverAuth must be included.
SSL for Apps – Brook R. Chelmo
11
The 3 Additional Intermediate Checks
1. Must contain a basicConstraints extension with a cA flag of
“true.”
2. Must contain a keyUsage extension with a keyCertSign set.
3. Check that any name or policy constraints are consistent with
those in the certificates beneath it in the chain.
SSL for Apps – Brook R. Chelmo
12
Conclusion
Proper SSL provides confidentiality, authentication,
and integrity without interception or modification.
Symantec is leading the way in security and authentication
practices by working with browser developers, customers,
bloggers, & other stakeholders to build a better security
ecosystem.
SSL for Apps – Brook R. Chelmo
13
Thank you!
Symantec World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
1 (866) 893 6565
www.symantec.com
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
SSL for Apps – Brook R. Chelmo
14
Related documents
Grade 8 SSL Project Design Sheet
Grade 8 SSL Project Design Sheet
1. Imagine you are the owner of an e-commerce... signs that your site has been hacked? Discuss the major...
1. Imagine you are the owner of an e-commerce... signs that your site has been hacked? Discuss the major...
SELF EVALUATION QUESTIONNAIRE
SELF EVALUATION QUESTIONNAIRE
Download