Understanding SSL Certificate for Apps by Symantec
0 likes504 views
The document discusses SSL/TLS technology's importance in secure communications and the common implementation errors found in non-browser applications. It outlines steps for building a secure certificate chain, including verifying certificates and ensuring proper settings are in place. The conclusion emphasizes the need for robust SSL practices to provide confidentiality, authentication, and integrity in communications.
Understanding SSL Certificate for Apps by Symantec
- 1. SSL for Apps – Brook R. Chelmo 1 Understanding SSL for Apps Brook R. Chelmo Principal Product Marketing Manager
- 2. Introduction • SSL/TLS is a core technology; critical to secure communications • The greatest challenge is not technology but implementation • Researchers found widespread errors in non-browser apps • Take the necessary steps to create a stronger & more trustworthy SSL implementation SSL for Apps – Brook R. Chelmo 2
- 3. Chain Building • During the SSL handshake the server will return one or more certificates SSL for Apps – Brook R. Chelmo 3
- 4. Chain Building • During the SSL handshake the server will return one or more certificates. • Misconfigured web servers may return more or fewer certificates than what is necessary. SSL for Apps – Brook R. Chelmo 4
- 5. Chain Building • During the SSL handshake the server will return one or more certificates. • Misconfigured web servers may return more certificates than what is necessary. • You may find a pointer to the certificate’s issuing certificate in the caIssuers entry in its authorityInfoAccess extension. • NOTE: Ignore self-signed certificates. SSL for Apps – Brook R. Chelmo 5
- 6. Build a Certificate Chain • Determine the end-entity SSL certificate by building a certificate chain. • The AuthorityKeyIdentifier or Issuer Distinguished Name must match the SubjectKeyIdentifier or Subject Distinguished Name. SSL for Apps – Brook R. Chelmo 6 Root CA Intermediate CA End Entity Certs SKI AKI SKI AKI Chain of Trust Chained Hierarchy
- 7. Build a Certificate Chain • Verify that the chain from end-entity to intermediate to root is valid. SSL for Apps – Brook R. Chelmo 7
- 8. 3 Scenarios Consider which certificates you will trust. Three Options: 1. Trust one certificate. 2. Allow any End-Entity SSL certificate signed by a particular trusted intermediate. Pick only one trusted root and avoid trusting all end-entity certificates that chain up to that root. 3. Require the end-entity to chain up to a certain trusted root and be signed by an intermediate certificate with a specific common name. SSL for Apps – Brook R. Chelmo 8
- 9. The 5 End-Entity & Intermediate Checks 1. Note that strings in certificates are stored as a byte length followed by that number of bytes. Don’t assume they’re null- terminated. There may also be different types of encoding such as UTF-8. 2. Check the validity against an accurate time source. 3. Check for either a crlDistributionPoints or authorityInfoAccess extension. 4. The app must be able to recognize & understand “critical” extensions. 5. Check the certificatePolicies extension. SSL for Apps – Brook R. Chelmo 9
- 10. The 4 Additional End-Entity Checks 1. Verify the FQDN or IP address appears in the Common Name or the SAN extension (newer certificates). 1. Take into account proper wildcards 2. Reject the certificate if it has more than one common name. 3. IDN certificates should contain a punycode Unicode domain name in the Common Name or SAN 2. If it has a basicConstraints extension, check that the cA flag is set to “false” and the pathLenContraints is set to “zero” 3. If the certificate has a keyUsage extension, check that the digitalSignature and keyEncipherments bits are set. SSL for Apps – Brook R. Chelmo 10
- 11. The 4 Additional End-Entity Checks 4. If the certificate contains an extKeyUsage extension, the extension value must be either the special anyExtendedKeyUsage value, or if it contains special purpose OIDs, then id-kp-serverAuth must be included. SSL for Apps – Brook R. Chelmo 11
- 12. The 3 Additional Intermediate Checks 1. Must contain a basicConstraints extension with a cA flag of “true.” 2. Must contain a keyUsage extension with a keyCertSign set. 3. Check that any name or policy constraints are consistent with those in the certificates beneath it in the chain. SSL for Apps – Brook R. Chelmo 12
- 13. Conclusion SSL for Apps – Brook R. Chelmo 13 Proper SSL provides confidentiality, authentication, and integrity without interception or modification. Symantec is leading the way in security and authentication practices by working with browser developers, customers, bloggers, & other stakeholders to build a better security ecosystem.
- 14. Thank you! Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. SSL for Apps – Brook R. Chelmo 14 Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1 (866) 893 6565 www.symantec.com