All I Know About Certificates – Certificate Authority
The article highlights the significance of TLS certificates in verifying website identities, preventing impersonation, and maintaining trust through trusted Certificate Authorities, while outlining the verification process and the role of intermediate certificates.
Read original article
The article discusses the importance of certificates in the TLS handshake, emphasizing their role in verifying the identity of websites to clients. Certificates are essential for preventing impersonation, as they confirm that the holder is the legitimate owner of a domain. The piece clarifies that while anyone can issue certificates, only those from trusted Certificate Authorities (CAs) are reliable. The relationship between clients, CAs, and websites is outlined, highlighting that clients trust CAs, which in turn issue certificates to websites. The article explains the verification process for website identity, which includes the ACME Challenge, and stresses the need for CAs to protect their private keys to maintain trust. It also introduces the concept of intermediate certificates, which help manage the issuance of certificates without directly exposing the root certificate. The signing process of certificates is described, detailing how data is encrypted and verified using public and private keys. Trust in CAs is fundamental, as clients store CA certificates locally, and new CAs can gain trust through established ones. The article concludes by hinting at the next discussion on the role of clients in the certificate verification process. Overall, it provides a comprehensive overview of how certificates function within the framework of internet security, emphasizing the critical nature of trust in this ecosystem.
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Letsencrypt Supports Wildcard Certificates
Let's Encrypt offers free SSL/TLS certificates for secure HTTPS connections, relying on donations. They issue Domain Validation and SAN certificates, recommend reporting malicious activities, and emphasize TLS/SSL security.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
All I Know About Certificates – Certificate Authority
The article highlights the critical role of certificates in the TLS handshake for website identity verification, emphasizing trusted Certificate Authorities' responsibilities and the impact of free certificates from Let’s Encrypt.
9 commentsPerhaps my greatest grievance is that it’s a leaky abstraction by design. There are small to huge differences between different CA vendors, SSL implementations and the internal DER/Asn1 structures they emit. This also includes key encodings.
Error codes are incredibly opaque. Ever tried parsing a wrapped SPKI key with Ring/BoringSSL? It crashes with „Wrong Tag“ and incromprehensible letter soup. OpenSSL‘s Base64 toolset only works with aligned/padded input and a specific alphabet. Try inputting non-padded data, all you get is „Error“. That‘s it. Incredible.
Does this SSL implementation expect raw SubjectPublicKeyInfo, or can it accept Keys with additional headers? Can I trust that extended attributes are handled correctly? OpenSSL just emits „some“ DER here, while BoringSSL expects my public key to be of „ECDSA__ASN1“ format - or was it „ ECDSA__FIXED“? I have embedded devices that use MbedTLS or WolfSSl, Rust backend servers which depend on Ring/BoringSSL, Users which want to use OpenSSL EE certs and a public CA which could use any of these. How the hell do I generate certificates and keys in a way they all understand?
I don‘t know, and neither do you.
It‘s all a massive headache.
https://jamielinux.com/docs/openssl-certificate-authority/
It hasn't been updated for Subject Alternative Names or EC keys, but it's sort of like a Linux From Scratch for SSL CA ops that can help you understand what tools like smallstep-cli are doing behind the scenes.
The X509 library functions in openssl is horrific, with plenty of opportunities to mess up.
It's a paradox that something that is designed to improve security is designed in a way that make it extremely hard to implement it in a clean and secure manner.
I've actually come to like the idea of zone files with different record types like A records, CNAME, etc... but the architecture is too complicated and centralised.
With replication and caching, you can scale to unlimited reads. That's good. But the writes require trusting a small number of centralised entities.
It would be best implemented as a Blockchain. Then you would get unlimited scalability in terms of reads and there would be no complex cache hierarchy because every node is an equal replication. No single node requires special privileges. You just pay the Blockchain transaction fee to buy and sell domains and you just pay to the block forgers/miners... Which can be anyone.... So there is need to trust authorities. It would all be market based.
Blockchain data is fully public and cryptographically verifiable so it's an ideal match for this use case. Also, you could actually own your domain names without expiry instead of having to pay some rent-seeking organization every year or so.
Isn't it crazy that it's not possible to actually own a domain name? You'd think some big tech company would lobby for that... Surely worth having extra guarantees...
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Letsencrypt Supports Wildcard Certificates
Let's Encrypt offers free SSL/TLS certificates for secure HTTPS connections, relying on donations. They issue Domain Validation and SAN certificates, recommend reporting malicious activities, and emphasize TLS/SSL security.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
All I Know About Certificates – Certificate Authority
The article highlights the critical role of certificates in the TLS handshake for website identity verification, emphasizing trusted Certificate Authorities' responsibilities and the impact of free certificates from Let’s Encrypt.