Does HTTP HSTS protect a domain from a bad-actor publically-trusted-CA issing a illegitimate valid certificate?How to become an internationally recognized certificate authority (CA)?Did google chrome kill public key pinning?How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove?How practical is a certificate's “basic constraint” property in protecting my HTTPS / SSL session?Is there a problem with issuing a HSTS header in PHP?Security Certificate not from a valid authorityIs there any use in an AIA Extension in a Certificate directly issued by a Root CA?Why are root certificate authorites allowed to issue certificates for any domain?When GeoTrust CA issues certificate for the domain Google, does it also provide private key to Google by which the certificate is digitally signed?Can the subdomains have different certificates from the main domain if I use HSTS includeSubDomains and preload?Should the Strict-Transport-Security max-age be tied to the duration of the certificate?

Is "ln" (natural log) and "log" the same thing if used in this answer?

What did Tim Curry say in the movie Congo to Ernie Hudson after being insulted?

1, 2, 4, 8, 16, ... 33?

Is the mass of paint relevant in rocket design?

Late 1970's and 6502 chip facilities for operating systems

Co-Supervisor comes to office to help her students which distracts me

Does Sitecore have support for Sitecore products in containers?

A food item only made possible by time-freezing storage?

Two trains move towards each other, a bird moves between them. How many trips can the bird make?

What Secular Civic Space Would Pioneers Build For Small Frontier Towns?

Hilbert's hotel: why can't I repeat it infinitely many times?

How can an attacker use robots.txt?

Subverting the emotional woman and stoic man trope

Designing a time thief proof safe

How can I repair this gas leak on my new range? Teflon tape isn't working

What is the difference between an astronaut in the ISS and a freediver in perfect neutral buoyancy?

Is it possible to encode a message in such a way that can only be read by someone or something capable of seeing into the very near future?

Do we have any particular tonal center in mind when we are NOT listening music?

How to justify a team increase when the team is doing good?

How to deal with a Homophobic PC

Which place in our solar system is the most fit for terraforming?

Is this a Sherman, and if so what model?

practicality of 30 year fix mortgage at 55 years of age

Does "as soon as" imply simultaneity?



Does HTTP HSTS protect a domain from a bad-actor publically-trusted-CA issing a illegitimate valid certificate?


How to become an internationally recognized certificate authority (CA)?Did google chrome kill public key pinning?How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove?How practical is a certificate's “basic constraint” property in protecting my HTTPS / SSL session?Is there a problem with issuing a HSTS header in PHP?Security Certificate not from a valid authorityIs there any use in an AIA Extension in a Certificate directly issued by a Root CA?Why are root certificate authorites allowed to issue certificates for any domain?When GeoTrust CA issues certificate for the domain Google, does it also provide private key to Google by which the certificate is digitally signed?Can the subdomains have different certificates from the main domain if I use HSTS includeSubDomains and preload?Should the Strict-Transport-Security max-age be tied to the duration of the certificate?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








5
















  • Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?



    for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle



  • Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?










share|improve this question



















  • 1





    Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)

    – I'm a TI calculator
    8 hours ago











  • @I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains

    – ThorSummoner
    8 hours ago






  • 1





    In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804

    – ThorSummoner
    7 hours ago











  • How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?

    – I'm a TI calculator
    7 hours ago

















5
















  • Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?



    for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle



  • Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?










share|improve this question



















  • 1





    Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)

    – I'm a TI calculator
    8 hours ago











  • @I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains

    – ThorSummoner
    8 hours ago






  • 1





    In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804

    – ThorSummoner
    7 hours ago











  • How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?

    – I'm a TI calculator
    7 hours ago













5












5








5


1







  • Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?



    for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle



  • Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?










share|improve this question















  • Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?



    for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle



  • Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?







http public-key-infrastructure certificate-authority trust hsts






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 8 hours ago









ThorSummonerThorSummoner

1741 silver badge5 bronze badges




1741 silver badge5 bronze badges










  • 1





    Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)

    – I'm a TI calculator
    8 hours ago











  • @I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains

    – ThorSummoner
    8 hours ago






  • 1





    In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804

    – ThorSummoner
    7 hours ago











  • How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?

    – I'm a TI calculator
    7 hours ago












  • 1





    Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)

    – I'm a TI calculator
    8 hours ago











  • @I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains

    – ThorSummoner
    8 hours ago






  • 1





    In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804

    – ThorSummoner
    7 hours ago











  • How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?

    – I'm a TI calculator
    7 hours ago







1




1





Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)

– I'm a TI calculator
8 hours ago





Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)

– I'm a TI calculator
8 hours ago













@I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains

– ThorSummoner
8 hours ago





@I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains

– ThorSummoner
8 hours ago




1




1





In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804

– ThorSummoner
7 hours ago





In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804

– ThorSummoner
7 hours ago













How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?

– I'm a TI calculator
7 hours ago





How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?

– I'm a TI calculator
7 hours ago










1 Answer
1






active

oldest

votes


















6
















No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.



There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).



Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.



Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.



A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.






share|improve this answer

























  • I think your answer beats mine! Delete time...

    – Conor Mancone
    8 hours ago













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218371%2fdoes-http-hsts-protect-a-domain-from-a-bad-actor-publically-trusted-ca-issing-a%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









6
















No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.



There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).



Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.



Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.



A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.






share|improve this answer

























  • I think your answer beats mine! Delete time...

    – Conor Mancone
    8 hours ago















6
















No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.



There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).



Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.



Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.



A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.






share|improve this answer

























  • I think your answer beats mine! Delete time...

    – Conor Mancone
    8 hours ago













6














6










6









No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.



There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).



Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.



Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.



A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.






share|improve this answer













No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.



There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).



Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.



Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.



A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.







share|improve this answer












share|improve this answer



share|improve this answer










answered 8 hours ago









AndrolGenhaldAndrolGenhald

14.1k5 gold badges37 silver badges44 bronze badges




14.1k5 gold badges37 silver badges44 bronze badges















  • I think your answer beats mine! Delete time...

    – Conor Mancone
    8 hours ago

















  • I think your answer beats mine! Delete time...

    – Conor Mancone
    8 hours ago
















I think your answer beats mine! Delete time...

– Conor Mancone
8 hours ago





I think your answer beats mine! Delete time...

– Conor Mancone
8 hours ago


















draft saved

draft discarded















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218371%2fdoes-http-hsts-protect-a-domain-from-a-bad-actor-publically-trusted-ca-issing-a%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單