CWE proposal for "Improper reliance on certificate pinning"

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE proposal for "Improper reliance on certificate pinning"

Kurt Seifried
So: https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html

TL;DR: Software uses certificate pinning to validate the certificate and doesn't do things like hostname checks. 

I'd like to propose a CWE for this, and I'm definitely open to a better name than "Improper reliance on certificate pinning", I know one aspect of is already covered by e.g. CWE-297: "Improper Validation of Certificate with Host Mismatch" however that doesn't get to the actual underlying cause of the flaw (which is less about hostname validation and more about over reliance on certificate pinning). Thoughts/comments welcome. 


--
Kurt Seifried
[hidden email]
To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: CWE proposal for "Improper reliance on certificate pinning"

Jeffrey Walton
On Fri, Dec 8, 2017 at 3:05 PM, Kurt Seifried <[hidden email]> wrote:

> So: https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html
>
> TL;DR: Software uses certificate pinning to validate the certificate and
> doesn't do things like hostname checks.
>
> I'd like to propose a CWE for this, and I'm definitely open to a better name
> than "Improper reliance on certificate pinning", I know one aspect of is
> already covered by e.g. CWE-297: "Improper Validation of Certificate with
> Host Mismatch" however that doesn't get to the actual underlying cause of
> the flaw (which is less about hostname validation and more about over
> reliance on certificate pinning). Thoughts/comments welcome.

I think it would be helpful clearly differentiate between the
certificate pinning and public key pinning.

If you are pinning a public key (PKP), then the certificate is just a
presentation detail. PKP is a public key continuity strategy, and it
does not care about issuers or serial numbers.

I've never really given thought to certificate pinning because it is
mostly useless. CertPatrol is a classic example. Companies like Google
rotate their certificates every 30 days to keep CRL's small for mobile
clients. However, at the same time, the same public key is
re-certified. The practice runs amuck for tools like CertPatrol.

Jeff

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: CWE proposal for "Improper reliance on certificate pinning"

Christey, Steven M.
In reply to this post by Kurt Seifried

Kurt,

 

The original Spinner paper says: “certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks.” 

(http://www.cs.bham.ac.uk/~garciaf/publications/spinner.pdf)

 

The key, incorrect behavior that introduces the problem is that the hostname is not verified.  The Spinner paper shows that a legitimate behavior (“pinning”) has made it more difficult to automatically determine whether a correct hostname check was performed before the pinning occurred; it says “the use of pinning makes the underlying problem of no hostname verification harder to detect.”

 

So, pinning is a feature of software that makes it more difficult to detect a certain insecure behavior.  Pinning is not, in and of itself, an insecure behavior – so, a CWE entry focused on pinning doesn’t make sense to me.

 

I believe it is more appropriate to update CWE-297 to provide a reference to the Spinner paper and add a Detection Method  element that explicitly states how pinning can make detection more difficult.

 

(The lack of a new entry makes it more difficult to use CWE IDs themselves to distinguish between such low-level variations, but CWE’s flat ID representation will always have such limitations.  See my comments in the 2012-12-18 thread “Use after free” at http://making-security-measurable.1364806.n2.nabble.com/Use-after-free-td7579488.html)

 

- Steve

 

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Friday, December 08, 2017 3:06 PM
To: cwe-research-list CWE Research Discussion <[hidden email]>
Subject: CWE proposal for "Improper reliance on certificate pinning"

 

So: https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html

 

TL;DR: Software uses certificate pinning to validate the certificate and doesn't do things like hostname checks. 

 

I'd like to propose a CWE for this, and I'm definitely open to a better name than "Improper reliance on certificate pinning", I know one aspect of is already covered by e.g. CWE-297: "Improper Validation of Certificate with Host Mismatch" however that doesn't get to the actual underlying cause of the flaw (which is less about hostname validation and more about over reliance on certificate pinning). Thoughts/comments welcome. 


 

--

Kurt Seifried
[hidden email]

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: CWE proposal for "Improper reliance on certificate pinning"

Steve Overland
I'm in agreement with the other Steven.

My understanding of certificate pinning is that it's main use case is to whitelist authorized CAs in your application so a spoofed cert signed by a rogue/compromised CA will be rejected.

All the usual certificate checks are still required once you determine you have a cert signed by a "pinned" CA.  But a note calling that out wouldn't hurt.

This is where I learned about the threat and control:


Some relevant incidents: 




On Tue, Dec 12, 2017 at 9:14 AM, Christey, Steven M. <[hidden email]> wrote:

Kurt,

 

The original Spinner paper says: “certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks.” 

(http://www.cs.bham.ac.uk/~garciaf/publications/spinner.pdf)

 

The key, incorrect behavior that introduces the problem is that the hostname is not verified.  The Spinner paper shows that a legitimate behavior (“pinning”) has made it more difficult to automatically determine whether a correct hostname check was performed before the pinning occurred; it says “the use of pinning makes the underlying problem of no hostname verification harder to detect.”

 

So, pinning is a feature of software that makes it more difficult to detect a certain insecure behavior.  Pinning is not, in and of itself, an insecure behavior – so, a CWE entry focused on pinning doesn’t make sense to me.

 

I believe it is more appropriate to update CWE-297 to provide a reference to the Spinner paper and add a Detection Method  element that explicitly states how pinning can make detection more difficult.

 

(The lack of a new entry makes it more difficult to use CWE IDs themselves to distinguish between such low-level variations, but CWE’s flat ID representation will always have such limitations.  See my comments in the 2012-12-18 thread “Use after free” at http://making-security-measurable.1364806.n2.nabble.com/Use-after-free-td7579488.html)

 

- Steve

 

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Friday, December 08, 2017 3:06 PM
To: cwe-research-list CWE Research Discussion <[hidden email]>
Subject: CWE proposal for "Improper reliance on certificate pinning"

 

So: https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html

 

TL;DR: Software uses certificate pinning to validate the certificate and doesn't do things like hostname checks. 

 

I'd like to propose a CWE for this, and I'm definitely open to a better name than "Improper reliance on certificate pinning", I know one aspect of is already covered by e.g. CWE-297: "Improper Validation of Certificate with Host Mismatch" however that doesn't get to the actual underlying cause of the flaw (which is less about hostname validation and more about over reliance on certificate pinning). Thoughts/comments welcome. 


 

--

Kurt Seifried
[hidden email]

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: CWE proposal for "Improper reliance on certificate pinning"

Christey, Steven M.
All,

Just to close this off, we have made changes to multiple CWE entries to contain explicit recognition of how pinning can make it more difficult to detect certificate-handling weaknesses, e.g. in CWE-295: Improper Certificate Validation.

The changes are summarized as follows:

1. Under Modes of Introduction, we added another element related to the Implementation phase: "When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete."

2. Under potential mitigations, we added another Implementation element that says: "If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname."

3. In CWE-297: Improper Validation of Certificate with Host Mismatch, we suggest Spinner as a potential Black Box detection mechanism for mobile, and we include a reference to the tool.  (Note that Spinner does not appear to address the other types of invalid-certificate handling, so it is not included in those other entries.)

Thanks to everybody for some productive, detailed discussion on this topic.

- Steve