A Quick Guide to SSL for Apps

Similar documents
Understanding SSL for Apps

Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

Securing Microsoft Exchange 2010 with Symantec SSL Certificates

Choosing a Cloud Hosting Provider with Confidence

Frequently Asked Questions. Frequently Asked Questions: Prioritizing Trust: Certificate Authority Security Best Practices

Symantec Workspace Virtualization 7.6

Choosing a Cloud Hosting Provider with Confidence

Seven Key Issues to Consider Before Selecting a Cloud Hosting Provider

Symantec Mobile Security

How Extended Validation SSL Brings Confidence to Online Sales and Transactions

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Windows Server 2008 PKI and Certificate Security

Beginner s Guide to SSL Certificates

Simplify SSL Certificate Management Across the Enterprise

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

Symantec Mobile Management for Configuration Manager 7.2

White Paper. Enhancing Website Security with Algorithm Agility

Symantec Mobile Management 7.2

Programme of Requirements part 3f: Certificate Policy - Extended Validation

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Managing SSL Certificates with Ease

Symantec Verification Overview.BANK Verification

Symantec Managed PKI for SSL Support Overview. How to get quick and convenient customer support

Certificate Policy for. SSL Client & S/MIME Certificates

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

Symantec Encryption Solutions for , Powered by PGP Technology

Securing Your Software for the Mobile Application Market

Certificates and network security

X.509 Certificate Generator User Manual

Cyber Security Services: Data Loss Prevention Monitoring Overview

Programme of Requirements part 3h: Certificate Policy Server certificates Private Services Domain (G3)

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

Endpoint Protection Small Business Edition 2013?

Symantec Endpoint Protection

Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It

Integrated SSL Scanning

Securing Microsoft Exchange 2010 WITH THAWTE SSL CERTIFICATES

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Balancing Cloud-Based Benefits With Security. White Paper

Symantec Managed PKI Service Deployment Options

White paper. How to choose a Certificate Authority for safer web security

Choosing a Cloud Hosting Provider with Confidence THAWTE SSL CERTIFICATES PROVIDE A SECURE BRIDGE TO TRUSTED CLOUD HOSTING PROVIDERS

Securing Your Enterprise in the Cloud. IT executives must be ready to move to the cloud safely

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

SSL/TLS: The Ugly Truth

White Paper. Simplify SSL Certificate Management Across the Enterprise

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Certificate Path Validation

ETSI TS V1.1.1 ( )

Symantec Endpoint Protection

APNIC Trial of Certification of IP Addresses and ASes

Licensing Symantec Certificates

How Drive Encryption Works

Symantec Enterprise Vault Discovery.cloud

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Reducing the Cost and Complexity of Web Vulnerability Management

White Paper. Keeping Your Private Data Secure

How Endpoint Encryption Works

Enterprise Vault 11 Feature Briefing

Endpoint Management and Mobility Solutions from Symantec. Adapting traditional IT operations for new end-user environments

SSL Certificates and Bomgar

HTTPS Inspection with Cisco CWS

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Prioritizing Trust: Certificate Authority Best Practices

Portal Administration. Administrator Guide

Wildcard and SAN: Understanding multi-use SSL Certificates

Two-Factor Authentication

Web Protection for Your Business, Customers and Data

Symantec Enterprise Vault for Microsoft Exchange

Enterprise Vault 10 Feature Briefing

Simplify Your Windows Server Migration

Symantec Messaging Gateway 10.5

Website Security Partner Program. Path to Profitability

IBM i Version 7.3. Security Digital Certificate Manager IBM

Symantec NetBackup 7.5 What s New and Version Comparison Matrix

Complete Website Security

Integrated SSL Scanning

SWITCHaai Metadata CA. Certificate Policy and Certification Practice Statement

NetBackup Best Practice Using Tape Storage with Deduplicating Disk Storage

NIST Test Personal Identity Verification (PIV) Cards

Certificate technology on Pulse Secure Access

Why Digital Certificates Are Essential for Managing Mobile Devices

The IVE also supports using the following additional features with CA certificates:

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

Certificate technology on Junos Pulse Secure Access

Achieving Business Agility Through An Agile Data Center

CableLabs DIGITAL CERTIFICATE AUTHORIZATION AGREEMENT For Devices Built in Compliance with the DOCSIS 3.0 and 3.1 Specifications

Certification Practice Statement

Raise your Google Ranking

Public Key Infrastructure (PKI)

Validity Models of Electronic Signatures and their Enforcement in Practice

phicert Direct Certificate Policy and Certification Practices Statement

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Symantec Asset Management Suite 7.5 powered by Altiris technology

Bugzilla ID: Bugzilla Summary:

How To Use Netbackup For Business

Host-based Protection for ATM's

Symantec NetBackup deduplication general deployment guidelines

Transcription:

WHITE PAPER : A QUICK GUIDE TO SSL FOR APPS White Paper A Quick Guide to SSL for Apps

A Quick Guide to SSL for Apps CONTENTS Chain Building... 3 The 5 End-Entity & Intermediate Certificate Checks... 4 The 4 Additional End-entity Certificate Checks... 4 The 3 Additional Intermediate Certificate Checks... 4 Conclusion... 5 2

SSL/TLS has been & will be a core enabling technology critical for securing communications. The most significant challenge facing the SSL ecosystem is its implementation. Researchers have recently published reports indicating widespread errors & shortcomings in the implementation of SSL/TLS in mobile applications. These issues often result from flawed use of SDKs or APIs used by developers. This paper lists necessary steps to take to create a stronger, more trustworthy SSL implementation. All SSL client non-browser applications should follow all these practices to ensure strong authentication, confidentiality & integrity. Chain Building During the SSL handshake, certificates used to build a chain of trust may be returned in any particular order. If the server fails to send all certificates needed to build the chain, the caissuers entry in the authorityinfoaccess extension of a certificate will indicate a protocol & location where you can obtain the certificate that issued it. Note: Ignore any self-signed root certificates returned by the server. Root certificates shouldn t be trusted just because they were returned. Determine the end-entity SSL certificate by building a certificate chain. The chain can be built either with authoritykeyidentifier/subjectkeyidentifier (AKI/SKI) extension values, or with Issuer Distinguished Name / Subject Distinguished Name values (IDN/SDN) (the AKI or IDN value in a certificate should match the SKI or SDN value in the certificate that signed it). Cryptographically verify that the chain from end-entity certificate to trusted root certificate or intermediate certificate is valid. Think carefully about which certificates you will ultimately trust. Here are three scenarios: 1. It is quite secure to require a particular end-entity SSL certificate returned;however renewing or replacing that certificate will break your application. 2. Allow any end-entity SSL certificate that is signed by a particular trusted root. The risk of this approach is expanding the pool of certificates that you will trust beyond your intention. 3. The best solution is to require that the end-entity SSL certificate chain up to a particular trusted root and is signed by an intermediate certificate with a specific Common Name. 3

The 5 End-Entity & Intermediate Certificate Checks 1. When comparing strings extracted from certificates, note that they are represented by a byte length followed by that number of bytes and may be represented in different encodings like UTF-8. Do not assume that the string is null-terminated. 2. Check the notbefore time and the notafter time in a certificate to ensure validity. Mobile devices generally have an accurate time source, but provide leeway in case of discrepancies. 3. Certificates must contain the crldistributionpoints extension or the authorityinfoaccess extension with an AccessMethod value of id-ad-ocsp. Ensure it has not been revoked by checking the CRL or OCSP response. If the client application caches CRLs or OCSP responses, these may be used until their validity end date instead of requesting another one. 4. The application must be able to recognize & understand critical extensions in the certificate; otherwise it is to be rejected. 5. If a particular policy is expected, check that it appears in the certificatepolicies extension. The 4 Additional End-entity Certificate Checks 1. Verify that the fully-qualified domain name or IP address appears in either the Common Name field of the Distinguished Name, or in one of the Subject Alternative Name (SAN) extension values (for newer certificates). Note: a. Take into account proper wildcards. b. The certificate should be rejected if it contains more than one Common Name value. c. IDN certificates should contain a punycode version of the Unicode domain name in the Common Name or SAN field. 2. If the certificate contains a basicconstraints extension, the ca flag must be set to false & the pathlenconstraint must be set to 0. 3. If the certificate contains a keyusage extension, the digitalsignature & keyencipherment bits must be set. 4. If the certificate contains an extkeyusage extension, the extension value must be either the special anyextendedkeyusage value, or if it contains special purpose OIDs, then id-kp-serverauth must be included. The 3 Additional Intermediate Certificate Checks 1. The certificate must contain a basicconstraints extension, with the ca flag setto true. 2. The certificate must contain a keyusage extension, with the keycertsign bit set. 3. If the nameconstraints and/or policyconstraints extensions are present, the application must process the constraints for all certificates in the subtree beneath it. 4

Conclusion Properly implemented SSL/TLS protocols provide strong confidentiality, authentication & integrity for communications between endpoints. Yet unless certain checks are performed, data can be intercepted & modified without detection. All SSL client non-browser applications should follow all the practices in this document to ensure the promises of SSL. SSL has been the key to trust on the Internet for more than a decade, and it will continue to provide excellent protection against evolving cyber-security threats. Symantec is leading the way with world-class security & authentication practices by working with browser developers, customers and all other stakeholders to help build a more robust security ecosystem. By working together as an industry to do the right thing, enforcing rigorous security practices, maintaining an agile infrastructure, and adopting stronger security standards, we can ensure that people have the confidence they need to work and play safely in the future. 5

More Information Visit our website http://www.symantec.com/ssl To speak with a Product Specialist in the U.S. 1-866-893-6565 or 1-650-426-5112 To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec protects the world s information and is the global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device to the enterprise data center to cloud-based systems. Our industry-leading expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at: go.symantec.com/socialmedia. Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1-866-893-6565 www.symantec.com Copyright 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. UID: 150/02/14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information