Understanding SSL for Apps

Size: px

Start display at page:

Download "Understanding SSL for Apps"

Letitia Lloyd
8 years ago
Views:

1 Understanding SSL for Apps Brook R. Chelmo Principal Product Marketing Manager SSL for Apps Brook R. Chelmo 1

found widespread errors in non-browser apps Take the necessary steps to

2 Introduction SSL/TLS is a core technology; critical to secure communications The greatest challenge is not technology but implementation Researchers found widespread errors in non-browser apps Take the necessary steps to create a stronger & more trustworthy SSL implementation SSL for Apps Brook R. Chelmo 2

3 Chain Building During the SSL handshake the server will return one or more certificates SSL for Apps Brook R. Chelmo 3

4 Chain Building During the SSL handshake the server will return one or more certificates. Misconfigured web servers may return more or fewer certificates than what is necessary. SSL for Apps Brook R. Chelmo 4

5 Chain Building During the SSL handshake the server will return one or more certificates. Misconfigured web servers may return more certificates than what is necessary. You may find a pointer to the certificate s issuing certificate in the caissuers entry in its authorityinfoaccess extension. NOTE: Ignore self-signed certificates. SSL for Apps Brook R. Chelmo 5

6 Build a Certificate Chain Determine the end-entity SSL certificate by building a certificate chain. The AuthorityKeyIdentifier or Issuer Distinguished Name must match the SubjectKeyIdentifier or Subject Distinguished Name. Chain of Trust SKI Root CA AKI SKI Intermediate CA Chained Hierarchy AKI End Entity Certs SSL for Apps Brook R. Chelmo 6

7 Build a Certificate Chain Verify that the chain from end-entity to intermediate to root is valid. SSL for Apps Brook R. Chelmo 7

Pick only one trusted root and avoid trusting all end-entity certificates that chain up to that root. 3.

8 3 Scenarios Consider which certificates you will trust. Three Options: 1. Trust one certificate. 2. Allow any End-Entity SSL certificate signed by a particular trusted intermediate. Pick only one trusted root and avoid trusting all end-entity certificates that chain up to that root. 3. Require the end-entity to chain up to a certain trusted root and be signed by an intermediate certificate with a specific common name. SSL for Apps Brook R. Chelmo 8

The 5 End-Entity & Intermediate Checks 1. Note that strings in certificates are stored as a byte length followed by that number of bytes. Don t assume they re nullterminated.

9 The 5 End-Entity & Intermediate Checks 1. Note that strings in certificates are stored as a byte length followed by that number of bytes. Don t assume they re nullterminated. There may also be different types of encoding such as UTF Check the validity against an accurate time source. 3. Check for either a crldistributionpoints or authorityinfoaccess extension. 4. The app must be able to recognize & understand critical extensions. 5. Check the certificatepolicies extension. SSL for Apps Brook R. Chelmo 9

10 The 4 Additional End-Entity Checks 1. Verify the FQDN or IP address appears in the Common Name or the SAN extension (newer certificates). 1. Take into account proper wildcards 2. Reject the certificate if it has more than one common name. 3. IDN certificates should contain a punycode Unicode domain name in the Common Name or SAN 2. If it has a basicconstraints extension, check that the ca flag is set to false and the pathlencontraints is set to zero 3. If the certificate has a keyusage extension, check that the digitalsignature and keyencipherments bits are set. SSL for Apps Brook R. Chelmo 10

11 The 4 Additional End-Entity Checks 4. If the certificate contains an extkeyusage extension, the extension value must be either the special anyextendedkeyusage value, or if it contains special purpose OIDs, then id-kp-serverauth must be included. SSL for Apps Brook R. Chelmo 11

12 The 3 Additional Intermediate Checks 1. Must contain a basicconstraints extension with a ca flag of true. 2. Must contain a keyusage extension with a keycertsign set. 3. Check that any name or policy constraints are consistent with those in the certificates beneath it in the chain. SSL for Apps Brook R. Chelmo 12

13 Conclusion Proper SSL provides confidentiality, authentication, and integrity without interception or modification. Symantec is leading the way in security and authentication practices by working with browser developers, customers, bloggers, & other stakeholders to build a better security ecosystem. SSL for Apps Brook R. Chelmo 13

14 Thank you! Symantec World Headquarters 350 Ellis Street Mountain View, CA USA 1 (866) Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. SSL for Apps Brook R. Chelmo 14

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

BUSINESS GUIDE: SECURING MICROSOFT EXCHANGE 2010 WITH VERISIGN AUTHENTICATION SERVICES Symantec Business Guide Securing Microsoft Exchange 2010 With VeriSign Authentication Services Best Practices for