Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
May 01
New RFC 7469 on Certificate Pinning – HTTP Public Key Pinning (HPKP)
A couple of weeks ago those of us interested in Internet security formally received a new tool in our toolbox to improve the overall security of the TLS infrastructure that we use for pretty much all secure communication across the Internet. RFC 7469, “Public Key Pinning Extension for HTTP” was published and is available at:
http://tools.ietf.org/html/rfc7469
I say “formally” because in practice what is more commonly known as “HPKP” or “PKP” has been implemented for some time now by Google Chrome and Mozilla Firefox (see ticket) as the Internet-Draft worked its way through the WEBSEC Working Group within the IETF on its way to becoming a formal RFC.
At a basic level, “certificate pinning” is a fairly simple concept: once you connect to a site and receive its TLS certificate (i.e. you switch to using HTTPS and have the “lock” icon in your browser), “pin” that certificate inside your application for a specified period of time and ONLY accept connections that use that exact TLS certificate. This removes the possibility of an attacker succeeding with a Man-In-The-Middle (MITM) attack where the attacker can fool your browser into thinking you are connecting to the correct secure site. (If you want a deeper dive, OWASP has a long description of certificate pinning.)
Certificate pinning is a concept that has been around for a while but this new HPKP header makes it easier for sites to implement.
RFC 7469’s abstract doesn’t put it quite so simply as I did above, but you get the idea:
This document defines a new HTTP header that allows web host operators to instruct user agents to remember (“pin”) the hosts’ cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.
Now in practice it turns out that pinning the exact TLS certificate can cause operational problems in some website configurations and so the specification allows for the pinning of the key of the entity that issues the TLS certificates for your site, such as a certificate authority (CA). This allows you, for instance, to specify that a browser should only accept TLS certificates from a specific CA. This reduces the risk of a MITM attack where an attacker uses a TLS cert from a different CA who they were able to get to issue the bogus cert.
This new RFC 7469 dives into all the details of HPKP, but if you want a higher level view, Joseph Bonneau gave a talk in March 2015 at IETF 92 in Dallas about HPKP and its companion, HTTP Strict Transport Security (HSTS – RFC 6797). The slides are available:
and you can listen to the presentation starting at about 24:30 in the recording of the SAAG session.
Certificate pinning is a great tool that we have now, although it does have a few challenges to be aware of:
- Trust-On-First-Use (TOFU) – Certificate pinning relies on you connecting to the correct server on the first connection in order to get the TLS cert that you are now going to pin in the browser. As noted in the RFC 7469 Introduction, the issue is that if you were to connect to an attacker’s site first you could in fact wind up pinning the false certificate and thereby being blocked out of connecting to the correct site until the time of the pin expires (what is called in the spec “max-age”).
- Blocking a site due to certificate changes – If you need to change a TLS cert, or if a TLS cert should be compromised or a private key is lost, you could potentially wind up in a situation where people using browsers that perform cert pinning would not be able to get to your site. This could happen if you pinned to an exact cert and had to change the cert, or if you pinned to a CA and then switched to a new CA, and in either case were unable to provide enough notice to manage the migration. The Security Considerations section of RFC 7469 discusses this issue.
On the TOFU issue, one way to deal with having to trust the site on first use is to “pre-load” the certificate to be pinned into the web browser or other application. This is being done by both Chrome and Firefox (see Mozilla’s list). The only concern here is that if you need to change the certificate in the pre-loaded list, you need to wait for an update to the browser to be available (and for users to install that update).
In various conversations I’ve suggested DNSSEC could help here because if the local system performed DNSSEC validation on a signed domain, the browser would then have a high level of assurance that it was connecting to the correct IP address where it could then receive a HPKP header with the correct TLS cert to be pinned. So DNSSEC could help bootstrap the pinning process and get around the TOFU concern.
Whenever I’ve raised this point, the response has typically been that if you have DNSSEC validation available you could simply use DANE to ensure you are using the correct TLS certificate. This is true, and I’d like to hope we’ll someday get there, but: 1) DANE requires the creation and usage of TLSA records, which is one more step people have to take; and 2) web browsers don’t have full support of DANE yet (although plugins are available). In the meantime, I still see DNSSEC as a powerful way to help with ensuring cert pinning works correctly.
Regardless, the key point is that RFC 7469 is now out there and certificate pinning via the HPKP header is now possible. It’s another tool we have and one that anyone interested in TLS security should definitely understand.
I’d love to hear your comments on this – please do feel free to leave them here. Tell me why cert pinning is great… tell me why it’s not. Tell me I’m wrong (or right!). Please do note that we do moderate comments because of spam but we approve basically very comment that isn’t abusive or spam.
Apr 30
Wire Launches WebRTC Voice/Chat Web App For Windows, Linux, more – Includes High TLS Security
Yesterday the team over at Wire launched a new WebRTC-based "Wire for Web" app that lets people on Windows, Linux or any other platform now communicate with people using Wire on iOS, Android or OS X. You can get to it simply at:
Note: an audio podcast about this topic is also available:
https://app.wire.com/If you already have an account you simply sign in with your credentials. If you don't have an account you can easily create one.
I've been running both the native Mac OS X client and the web client for a bit now (I was part of web beta program for Wire) and it is truly amazing how well the team has made the web experience to be seamless between the web and native client. Here's a screenshot showing both side by side (click/tap for a larger image):
In the web view on the right you have the browser bars at the top and one of the images did not go the full width of the column, but otherwise the experience and visual display has been essentially identical between the two platforms. The synchronization between the two is nearly instantaneous and all the features work really, really well.
Notifications in the web browser (if you allow them) work great to alert you to new messages.
And the voice calls from within the web browser have the same outstanding audio quality I've come to expect from Wire.
All in all the web implementation is quite excellent.
This new web app also addresses a concern I had from the initial launch of Wire back in December - the lack of a client for users on Microsoft Windows. With this web app Windows users - and Linux users - can now equally participate in communication over Wire. This is all courtesy of WebRTC that allows modern browsers to be able to use voice and chat from directly within the browser. Wire co-founder and CTO Alan Duric published a post about how they use WebRTC.
Alan also clued me in to the strong degree that the Wire team takes security extremely seriously. In fact I would say they take it more seriously than many other similar web apps I've seen. If you go over to Qualys SSL Labs and plug in "app.wire.com" you get a result of an "A+":
The same can NOT be said of other similar web interfaces that I tested from similar services.
I've been writing about Wire for a bit now (see my various articles) and I have it running on my Mac all the time, primarily because of the great value I get out of a couple of group chats that I am in. From a chat / messaging perspective it's one of the best I've seen and I find it extremely useful.
Curiously, I don't find myself using Wire as much for actual calls, primarily because I find that much of my interaction has moved to video calls, and Wire doesn't support those yet. When I do use Wire the audio quality is truly amazing, but that has to do with the audio pedigree of the team behind Wire, and the fact that they are using the Opus codec. On a larger level, there is also the continued "directory dilemma" that I've written about, namely that Wire has the same struggle as most other new tools in that you need to gather a strong "directory" of people who are actually using the app for it to be an app that people regularly use. Most of the people with whom I regularly communicate aren't users of Wire ... yet.
Still, the release of this "Wire for Web" gives me hope that Wire may be able to build some momentum now that, for example, Microsoft Windows users can now join in. Time will tell... but this will definitely help!
Kudos to the team at Wire for this very excellent web release?
P.S. If you are using Wire, or try it out, you should be able to find me on Wire as "Dan York".
Note: an audio podcast about this topic is also available:
Apr 30
TDYR 242 – Wire.com Launches WebRTC-based Web App
Yesterday Wire.com launched "Wire for Web" letting anyone with a web browser use chat and voice to communicate with other users of the Wire apps for iOS, Android and Mac OS/X. See http://www.disruptivetelephony.com/2015/04/wire-launches-webrtc-voicechat-web-app-for-windows-linux-more-includes-high-tls-security.html for more info.
Apr 29
nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)
Hooray! The folks over at nTLDstats have now added a new tab that lets you see which of the 100s of new generic top-level domains (newgTLDs) are seeing the most second-level domains signed with DNSSEC. You can see the stats at:
Here is a view of how it looks right now:
The site shows a number of interesting stats, including:
- the percentage of newgTLDs with signed second-level domains in them (60.80% at the time I write this)
- the number and percentage of signed zones as it relates to the overall number of registered domains within the newgTLDs
- the number of zones (of those signed) that failed DNSSEC validation (indicating a configuration issue)
- a trend line over time
- the distribution of signed domains across the number of newgTLDs
- breakdowns of signed domains by both newgTLD and also by registrar
While the overall number of signed domains today within the 5.2 million domains registered in the newgTLDs is a very small 0.95%, we now have a very easy way to see where DNSSEC signing is being actively used – and a way to measure which of the newgTLDs and also registrars are doing the most to support DNSSEC deployment.
I was intrigued to see that the leader of the newgTLDs is the .OVH TLD sponsored by a French hosting provider, OVH, with Afnic providing the back-end registry. According to their site, the OVH domain started as an April Fool’s joke in 2009 and then became a reality due to the interest. Clicking through to their registrar site (they are apparently the only registrar for the .OVH domain), you can see why they have so many domains signed – they have a “Activate DNSSEC on this extension!” link directly on their registration page!
Looking at the Registrar Breakdown column, the OVH registrar leads in the number of DNSSEC-signed newgTLDs, presumably because they are again offering DNSSEC-signing to anyone who uses them for DNS hosting, regardless of what newgTLD they register under.
I was also curious as to why “.paris” was the second-highest newgTLD with 2,347 signed domains, but the probably answer could be quickly found by clicking through to the .paris page. It shows the top 2 registrars as “Gandi SAS” and “OVH sas”… my guess would be that many/most of the 2,347 signed domains could come from the 4,000 domains registered by OVH, given that they are actively promoting DNSSEC.
Another interesting element of this new page is that you can change the slider underneath the trend line to see more stats over time. By moving the slider all the way to the left you can get a view of the trend in the newgTLDs:
There’s a huge jump in October 2014. Given the other stats and the information on the OVH web site, my guess would be that this was a result of the launch of the .OVH newgTLD.
Anyway… there’s probably a lot more we can learn from exploring the statistics in this way. The key point is that now there is a very easy-to-use web interface that lets us track and be able to show which of the newgTLDs are doing the most to provide registrants the security provided by DNSSEC. I’d note that this is all possible because all of the new gTLDs are required by ICANN to submit their zone files to the Centralized Zone Data Service (CZDS), allowing sites like nTLDstats to query the CZDS and build views such as these.
Kudos to the nTLDstats team for adding this page! I will be adding it to our DNSSEC Statistics page and look forward to using it over time.
P.S. Want to get started with signing your domain? Visit our Start Here page to learn how!
Apr 29
TDYR 241 – It Would Have Been Easy To NOT Run Today
TDYR 241 - It Would Have Been Easy To NOT Run Today by Dan York
Apr 27
Internet.nl – A New Site to Easily Test Your Use of IPv6, DNSSEC, TLS and DKIM (Featured Blog)
"Is Your Internet Up-To-Date?" Does your existing Internet connection work with IPv6 and DNSSEC? Do your web sites support IPv6, DNSSEC and TLS? Is there a quick way to find out? Earlier this month a new site, Internet.nl, was launched to make this all easy for anyone to test. All you do is visit the site at en.internet.nl (also available in Dutch) and just follow the very easy links. More...
Apr 27
Internet.nl Provides An Easy Way To Test Your IPv6, DNSSEC and TLS
“Is Your Internet Up-To-Date?” Does your existing Internet connection work with IPv6 and DNSSEC? Do your web sites support IPv6, DNSSEC and TLS? Is there a quick way to find out?
Earlier this month a new site, Internet.nl, was launched to make this all easy for anyone to test. All you do is visit the site at en.internet.nl (also available in Dutch) and just follow the very easy links:
All you do is click “Test my internet connection” to find out if your current connection supports IPv6 and DNSSEC. Enter any website address to test whether that site supports IPv6, DNSSEC and TLS. And enter any email address to find out if it supports IPv6, DNSSEC and DKIM/SPF/DMARC.
Here was the response I received for one of my email accounts:
You then have a link you can follow to get more details.
While there are obviously more detailed tests that can be performed, this site does a nice job giving a high level view of whether your connections are protected. I also like the fact that it uses “regular” language to explain why someone should care about these tests, rather than using the technical acronyms.
The site is great to have out there and we’ll be adding it to our list of DNSSEC tools and other places within Deploy360.
Congratulations to the various organizations behind Internet.nl on the launch! May this new site help many more people learn what they need to do to bring their Internet connections and sites up-to-date!
P.S. Please also read Olaf Kolkman’s post providing another perspective on the launch. And yes, both the Internet Society and our Internet Society Netherlands Chapter were involved with the launch. If you would like to get started with IPv6, DNSSEC or TLS, please visit our Start Here page to begin!
Apr 27
The Hobson & Holtz Report – Podcast #805: April 27, 2015
Neville will be away in Boston next week, Gini Dietrich will guest co-host next week’s episode; FIR Book Review coming from Shel on Jeff Jarvis’s “Geeks Bearing Gifts”;
Quick News: The fewer likes your Facebook page has the better its organic reach, NHL bans media from using Periscope and Meerkat, explosion of mobile messaging apps continues, Twitter sells sports tickets in tweets; the Media Monitoring Minute with CustomScoop;
News That Fits: Twitter begins to embrace its role as a destination for people who will never be active tweeters; Dan York’s Tech Report; the sudden interest in mobile video streaming apps; listener comments in the FIR Podcast Community on Google+; Igloo Software promo; Michael Netzley’s Asia Report: video advocating a day of rest for domestic workers ruffles feathers in Singapore; the past week on the FIR Podcast Network; what journalists have to say about pitches;
Music from Motorama; and more.
For Immediate Release: The Hobson and Holtz Report for April 27, 2015: An 69-minute podcast recorded live from Wokingham, Berkshire, England, and Concord, California, USA.
Links to websites, blog posts and other content we discuss in the show are posted as Delicious bookmarks to facilitate your connection with the discussions and sharing of that content.
The post The Hobson & Holtz Report – Podcast #805: April 27, 2015 appeared first on FIR Podcast Network.
Apr 27
FIR #805 – 4/27/15 – For Immediate Release
Gini Dietrich to guest co-host in two weeks, review of Geeks Bearing Gifts is coming; Quick News: Facebook tweaks its algorithm again, NHL bans media from using Periscope and Meerkat, explosion of mobile messaging apps continues, twittr sells sports tickets in tweets; Media Monitoring Minute from CustomScoop; News That Fits: Twitter embraces its role as a destination for non-active tweeters, Dan York's Tech Report, surge of interest in mobile video streaming apps, listener comments, Igloo Software promo, Michael Netzley's Asia Report, reporters tweet their reactions to PR pitches; music from Motorama; and more.
