ISC StormCast for Tuesday, October 31st 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 30 October 2017
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, October 31st, 2017 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Stockholm, Germany. Let's start with a couple of HVPS-related topics. Now, first of all, Google announced that they may drop support for public key pinning in Google Chrome. |
| 0:27.6 | Public key pinning has been around for a couple years now, I believe, but hasn't really taken off for a number of reasons. |
| 0:36.9 | First of all, it's not quite straightforward to actually enable it. |
| 0:41.3 | And secondly, there is a pretty real denial of service possibility if you are enabling it, |
| 0:48.9 | or worse, if an attacker is enabling it for you. Now, just as a quick reminder with public key pinning, your web server will return a special header. |
| 1:00.7 | This header will contain hashes for all keys that are valid for your particular host name or domain. |
| 1:08.6 | Now, the problem, of course, comes up if you ever need to rotate your key. |
| 1:12.9 | Now, public key pinning, the standard actually requires that you have at least two keys listed |
| 1:18.6 | here, but if you don't do it right, if you rotate keys and you make a key life that's not in the |
| 1:27.2 | list, then, of course, people will no longer be able to connect to your site. |
| 1:32.4 | Now, of course, the problem that public keypinning tries to address is very real in that it does prevent someone from going to a certificate authority, |
| 1:43.7 | tricking or coercing that certificate authority |
| 1:47.7 | in giving them a valid key for your domain. |
| 1:52.1 | Now, what Google says is, well, there are actually other ways that don't have all the negative |
| 1:58.0 | side effects to accomplish the same thing. |
| 2:01.6 | One thing, well, a certificate transparency. |
| 2:04.6 | If browsers will only trust certain authorities that do publish certificate transparency lists, |
| 2:12.6 | then of course such a bad certificate would be spotted by the legitimate owner of that domain. Of course, |
| 2:21.5 | that assumes that domain owners care enough to subscribe to these type of alerts. It's typically |
| 2:28.2 | free. It's not at hard to subscribe to the alert. And what it really comes down in the end is that public key pinning |
| 2:36.6 | really hasn't taken off. There are only few sites that use it. So probably chances are that |
| 2:44.0 | more people will use the certificate transparency alerts and maybe other methods like these CAA DNS records that were |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.