1

My Situation :

I've setup my own certificate authority, and generated a certificate for a server used primarily internally.

As I understand it, I can configure my browsers/computers to trust the certificate of the internal server by importing the cert of the higher authorities.

My Concern :

How can I be made aware (before I submit sensitive info to the rogue server or MITM device) of any attack whereby a pre-trusted authority is used to generate a new certificate for an imposter server ?

Can I configure my browser (Chrome, Firefox) to throw an alert if the certificate issuer / fingerprint changes ?

In short, how can I untrust trusted authorities on a per-domain basis ?

Community
  • 1
robut
  • 111
  • 2

3 Answers3

1

Can I configure my browser (Chrome, Firefox) to throw an alert if the certificate issuer / fingerprint changes ?

Chrome and Firefox both support HPKP which allows you to pin the public key of the certificate for a specific host. this does not throw an alarm if the issuer changes but only if the public key of the certificate changes. This is an even more strict protection because anybody who would like to impersonate your site would need to have your original public/private key pair, no matter which CA is used at the end.

In short, how can I untrust trusted authorities on a per-domain basis ?

There is no way to say up-front which CA you will accept for which site. But once there is a certificate for a site you can use HPKP to accept only certificates with specific public keys for a site.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

No legitimate CA should issue a certificate for your server's hostname, without first validating certificate request. This is often done through domain validation.

To answer your second question - you can employ certificate pinning so that your browser will alert you if the certificate changes.

Community
  • 1
mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Blunders and three-letter governmental initialisms both trump "should". I will research certificate pinning to see if it works for me. (I don't want to break usability for everything else on the Internet; does pinning do that ?) – robut Nov 08 '15 at 03:51
0

There are some browser add-ons that can do what you are looking for:

  • Certificate Patrol: This add-on will warn you when the certificate or certificate authority changes for a website. It will allow you to audit the certificates your browser is accepting for a particular domain. One disadvantage is that the warnings can become quite verbose in some situations.
  • Perspectives: This add-on has functionality to check the certificate history of a website as seen by observations from their servers. You can configure rules to generate warnings if the certificate has not been stable for a certain number of days, among other features.
Austin Hartzheim
  • 1,581
  • 11
  • 15