WHITE PAPER: SSL FOR APPS BEST PRACTICES FOR DEVELOPERS White Paper SSL for Apps Best Practices for Developers White Paper: SSL for Apps Best Practices for Developers SSL for Apps Best Practices for Developers Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chain Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 End-entity Certificate Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Intermediate Certificate Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 White Paper: SSL for Apps Best Practices for Developers Introduction SSL/TLS is a core enabling technology that is critical for securing communications. For more than a decade, SSL has provided a solid, stable platform for ensuring security and trust online, enabling the growth of e-commerce and other industries. SSL is a fundamentally sound technology that provides confidentiality, authentication, and integrity. The most significant challenge facing the SSL ecosystem is not a technological flaw or limitation, but rather the way it is being implemented and the practices around it. Several University researchers have recently published reports indicating widespread errors and shortcomings in non-browser applications that act as the client of an SSL/TLS connection. These issues result from flawed implementations of SSL in the applications or in SDKs or APIs used by the applications. This is an issue that needs to be addressed because today more and more services are offered through non-browser application interfaces. Often but not always these applications are designed for use on mobile devices. As mobile device adoption increases, the use of these applications will increase and thus the impact of these security implementation shortcomings will grow as well. This paper lists necessary steps to take to create a stronger, more trustworthy SSL implementation. All SSL Client non-browser applications should follow all the practices in this document to ensure the high level of authentication, confidentiality and integrity promised by SSL are achieved. Chain Building During the SSL handshake, the server will return one or more certificates to the client to build a chain of trust. Don’t assume that the certificates for this chain are returned in any particular order. Misconfigured web servers may also return more certificates than necessary to build a chain, or they may fail to return certificates that are needed to build a chain. If a certificate contains a caIssuers entry in its authorityInfoAccess extension, that entry will indicate a protocol and location where you can obtain the issuing certificate. This information may help you locate certificates in the chain that are not returned by the server. Note: If a self-signed root certificate (defined as a certificate whose Issuer Name is the same as its Subject Name) is returned by the server, it should be ignored. No certificate should be trusted simply because the server returns it. Try to build a certificate chain to determine which certificate is the end-entity SSL certificate. The chain can be built either with authorityKeyIdentifier/ subjectKeyIdentifier (AKI/SKI) extension values (the AKI value in a certificate should match the SKI value in the certificate that signed it), or with Issuer Distinguished Name / Subject Distinguished Name values (the Issuer Distinguished Name value in a certificate should match the Subject Distinguished Name value in the certificate that signed it). 3 White Paper: SSL for Apps Best Practices for Developers Cryptographically verify that the chain from end-entity certificate to trusted root certificate or intermediate certificate is valid (that is, validate that the intermediate’s public key signed the end-entity certificate, the root certificate’s public key signed the intermediate certificate, etc.). More information about building certificate chains can be found in Section 6 of RFC 5280. Think carefully about which certificates you will ultimately trust. It is quite secure to require the server to return a particular end-entity SSL certificate; however the downside to this type of implementation is that your application will break when the certificate is renewed or replaced. A more convenient practice is to allow any end-entity SSL certificate that is signed by a particular trusted intermediate certificate, although at some point even the intermediate certificate will be renewed or replaced. It is extremely risky to trust all SSL certificates that chain up to all root certificates in the platform’s trust store. Pick only one trusted root, but avoid trusting all end-entity certificates that chain up to that root. This practice is risky because it expands the pool of certificates that you will trust, possibly beyond what you intend. A good compromise would be to require that the end-entity SSL certificate chains up to a particular trusted root, and is signed by an intermediate certificate with a specific Common Name. End-entity Certificate Checks When comparing strings extracted from certificates, note that they are represented in the certificate as a byte length, followed by that number of bytes. Do not assume that the string is null-terminated. Also note that strings may be encoded in different types, including UTF-8. For the end-entity SSL certificate, perform these checks: 1. Verify that the fully-qualified domain name or IP address to which the connection was created appears in either the Common Name field of the Distinguished Name, or in one of the Subject Alternative Name (SAN) extension values. Note: –– Newer certificates will not contain a Common Name field at all; rather they will use SAN values. –– Don’t assume that the certificate contains a Common Name. –– Take into account proper wildcards (*.example.com or *.mail.example. com, for example). –– The certificate should be rejected if it contains more than one Common Name value, or if the address to which the connection was created does not match the Common Name or any SAN values. –– Take into account International Domain Names (IDNs) (see http://www. unicode.org/draft/faq/idn.html). IDN certificates should contain a punycode version of the Unicode domain name in the Common Name or SAN field. 4 White Paper: SSL for Apps Best Practices for Developers 2. The current date/time must be greater than the notBefore time in the certificate, and less than the notAfter time in the certificate. Note that date/ times are represented in GMT. If you can’t be sure that your application has an accurate time source, you may wish to err on the side of caution and accept a certificate that will not be valid for a few more days, or has just expired in the last few days. 3. If the certificate contains a basicConstraints extension, the cA flag must be set to false and the pathLenConstraint must be set to 0. 4. If the certificate contains a keyUsage extension, the digitalSignature and keyEncipherment bits must be set. 5. If a particular policy is expected, check that it appears in the certificatePolicies extension. 6. If the certificate contains an extKeyUsage extension, the extension value must be either the special anyExtendedKeyUsage value, or if it contains special purpose OIDs, then id-kp-serverAuth must be included. 7. The certificate must contain the crlDistributionPoints extension or the authorityInfoAccess extension with an AccessMethod value of idad-ocsp. The status of the certificate can be verified by checking CRL, OCSP, or both (fallback from one method to the other). Verification must result in a positive determination that the certificate has not been revoked. If the client application caches CRLs or OCSP responses, these may be used until their validity end date instead of making another request for a CRL or OCSP response. 8. If any other extension is marked ‘critical’, the application must be able to recognize and understand the value of the extension. The certificate must be rejected if it contains any critical extensions that the application does not recognize. Intermediate Certificate Checks When comparing strings extracted from certificates, note that they are represented in the certificate as a byte length, followed by that number of bytes. Do not assume that the string is null-terminated. Also note that strings may be encoded in different types, including UTF-8. For each intermediate CA certificate in the chain, up to and including the trusted intermediate certificate (if the intermediate is your trust point), perform these checks: 1. The current date/time must be greater than the notBefore time in the certificate, and less than the notAfter time in the certificate. Note that date/ times are represented in GMT. If you can’t be sure that your application has an accurate time source, you may wish to err on the side of caution and accept a certificate that will not be valid for a few more days, or has just expired in the last few days. 2. The certificate must contain a basicConstraints extension, with the cA flag set to true. 3. The certificate must contain a keyUsage extension, with the keyCertSign bit set. 5 White Paper: SSL for Apps Best Practices for Developers 4. If a particular policy is expected, check that it appears in the certificatePolicies extension. 5. The certificate must contain the crlDistributionPoints extension or the authorityInfoAccess extension with an AccessMethod value of id-ad-ocsp. The status of the certificate can be verified by checking CRL, OCSP, or both (fallback from one method to the other). Verification must result in a positive determination that the certificate has not been revoked. If the client application caches CRLs or OCSP responses, they may be used until their validity end date instead of making another request for a CRL or OCSP response. 6. If the nameConstraints and/or policyConstraints extensions are present, the application must process the constraints for all certificates in the subtree beneath it. 7. If any other extension is marked ‘critical’, the application must be able to recognize and understand the value of the extension. The certificate must be rejected if it contains any critical extensions that the application does not recognize. Conclusion The SSL/TLS protocol, when properly implemented, provides strong confidentiality and integrity for communications, as well as authentication of one or both endpoint identities. Yet unless certain checks are performed, an attacker can intercept and modify data without detection. All SSL Client non-browser applications should follow all the practices in this document to insure the high level of authentication, confidentiality and integrity promised by SSL. The normative reference for this document is RFC 5280. SSL has been the key to trust on the Internet for more than a decade, and it will continue to provide excellent protection against evolving cyber security threats. Symantec is leading the way with world-class security and authentication practices, and with what certificate authorities, browser developers, customers, consumers and all other stakeholders can do to help build a more robust security ecosystem. By working together as an industry to do the right thing, enforcing rigorous security practices, maintaining an agile infrastructure, and adopting stronger security standards, we can ensure that people have the confidence they need to connect online now and in the future. 6 White Paper: SSL for Apps Best Practices for Developers More Information Visit our website http://www.symantec.com/ssl To speak with a Product Specialist in the U.S. 1-866-893-6565 or 1-650-426-5112 To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec protects the world’s information and is the global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment – from the smallest mobile device to the enterprise data center to cloud-based systems. Our industry-leading expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at: go.symantec.com/socialmedia. Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1-866-893-6565 www.symantec.com Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. UID: 131/10/13