Subscribe:

Thursday 1 November 2012

SSL for Apps


SSL/TLS is technology that is critical for securing communications. The challenge facing the SSL ecosystem today is how it is being implemented and used. Several University researchers have recently published reports indicating errors and shortcomings in non-browser applications that act as the client of an SSL/TLS connection. These issues result from flawed implementations of SSL in the applications or in SDKs or APIs used by them. SSL Client non-browser applications should follow these best practices to ensure the high level of authentication, confidentiality and integrity promised by SSL remain intact.

A Developer must perform a number of checks, and the most important is to cryptographically validate that the end-entity certificate presented by the server is the expected certificate, or was signed by an expected certificate. In other words, the Developer must create a trusted and validated chain of certificates starting with the end-entity certificate and linking up to a trusted root or intermediate certificate. Certificates in the chain can be returned in random order, with instances of more or even fewer certificates necessary to build a chain. If a self-signed root certificate is returned by the server, it should be ignored. By building a certificate chain, the developer cryptographically verifies that the chain from end-entity certificate through intermediates to root certificate are valid and can be trusted.

Think carefully about which certificates you will trust. It is good to require the server to return a particular end-entity SSL certificate, however your application can break when the certificate is renewed or replaced. Alternatively, require that the end-entity SSL certificate chains up to a particular trusted root, and is signed by an intermediate certificate with a specific Common Name.

The SSL/TLS protocol, when properly implemented, provides strong confidentiality and integrity for communications, as well as authentication of one or both endpoint identities. But it must be used according to standards and best practices. SSL Certificate has been the key to trust on the Internet for more than a decade, and it will continue to provide excellent protection against evolving cyber security threats.