Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ISC/DShield Website TLS Updates - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC/DShield Website TLS Updates

On Thursday, we will change our TLS certificate to one issued by Letsencrypt. In the past, we used normal "commercial" certificates. Until a few months ago, we used HTTP Public Key Pinning. It appears that key pinning is no longer going to be supported by browsers, so we decided to remove this feature, which enabled us to use Letsencrypt. We removed the key pinning header a while ago, and browsers should no longer "pin" for our sites. But in case you are experiencing problems connecting to this site later this week, please let us know. You may still be able to connect to www.dshield.org if you can not connect to isc.sans.edu. 

We will also make another attempt to turn off TLS 1.0 support. While strictly speaking not a big risk to our site, we try to follow best practices. In the past, we had issues with some podcast players. But the service hosting our podcast MP3s has already turned off TLS 1.0, so this should not be an issue anymore. Again: Please report errors.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Johannes

3216 Posts
ISC Handler
Please look into adding a DNS CAA record to keep inattentive Certificate Authorities from issuing HTTPS certificates for your domain.

Also note that Let's Encrypt says they will not police the issuance of certificates because they rely on automation. "Not our job" https://letsencrypt.org/2015/10/29/phishing-and-malware.html

Even if you add a CAA record for Let's Encrypt, their unwillingness to police the certificates they issue should be a problem for any high-security-conscious organization thinking about using them. This essentially is what cost Symantec their CA business.

There is a price for "free" and one of them is a loss of a security layer. Speaking personally I find this change by SANS disappointing. By limiting certificate issuance to a commercial CA, one with two-factor logins and source IP controls, we're more confident that someone cannot get a certificate issued for one of our domains.

Hopefully you're at least subscribed to a Certificate Transparency Log monitoring service.

If a reader is not familiar with these topics, here is a good resource (I have no affiliation with them): https://sslmate.com/caa/

They also have a free monitoring service for up to five domains. If a certificate gets issued for your domain you will get an email within a few hours.
Anonymous
Posts
Good comments and recommendations. it's a balance of risk I guess..

I have subscribed to the Facebook tool. https://www.facebook.com/notes/protect-the-graph/introducing-our-certificate-transparency-monitoring-tool/1811919779048165/ - if Facebook is an alternative for you. :)
dotBATman

65 Posts Posts
Let's Encrypt DO check CAA records: https://letsencrypt.org/docs/caa/

I quite like Let's Encrypt's approach to manually policing certificate registrations: It doesn't work, things will always slip through and end users' trust should not be based upon it being effective. So we won't do it.

/L1
dotBATman

0 Posts Posts
Let's Encrypt DO check CAA records: https://letsencrypt.org/docs/caa/

I quite like Let's Encrypt's approach to manually policing certificate registrations: It doesn't work, things will always slip through and end users' trust should not be based upon it being effective. So we won't do it.

/L1
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!