Source URL: https://blog.cloudflare.com/why-certificate-pinning-is-outdated
Source: Hacker News
Title: Avoiding downtime: modern alternatives to outdated certificate pinning practices
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text critically examines the practice of certificate pinning in the evolving landscape of Public Key Infrastructure (PKI). It highlights the risks and management challenges associated with keeping pinned certificates updated amid increasingly frequent certificate rotations. With a shift towards modern standards like shorter certificate lifetimes and automated certificate management, it advocates for the discontinuation of certificate pinning, offering practical alternatives to enhance security without the associated burdens.
Detailed Description:
The discussion on certificate pinning unveils several critical insights for security and compliance professionals:
– **Overview of Certificate Pinning**: Originally designed to secure connections by ensuring clients only trust specific TLS certificates, certificate pinning has become problematic due to changes in PKI practices.
– **Current Challenges**:
– Increased frequency of certificate and intermediate rotations creates mismatches in the pinned certificates on the client side.
– Cloudflare has noted a rise in customer-reported outages linked to outdated pinning practices, with a significant increase noticed since early 2024.
– **Factors Contributing to Outages**:
– Transition from DigiCert as a CA and changes in intermediate certificate rotations have led to many customers being unaware of their certificate pins.
– The “set and forget” approach to certificate pinning is increasingly untenable.
– **Modern Alternatives to Pinning**:
– **Shorter Certificate Lifetimes**: Shifting to shorter lifetimes limits the scope and duration of potential certificate misuse.
– **Use of CAA Records**: Allows domain owners to specify which Certificate Authorities can issue certificates for their domains.
– **Certificate Transparency**: By utilizing CT logs, organizations can monitor their certificate statuses and detect anomalies effectively.
– **Risks of Continuing Pinning Practices**:
– Various levels of pinning (root, intermediate, leaf certificates) come with their own advantages and downsides, often risking outages due to unpredictable certificate renewal processes.
– Pinning can set a broader trust landscape, raising security concerns, especially if a root CA compromised.
– **Adopting New Standards**: The text advocates for organizations to adopt newer standards offering better management and security practices, hence, phasing out the outdated practice of certificate pinning.
– **Recommendations**:
– Organizations are encouraged to adopt automated certificate management processes and use tools like Cloudflare’s Universal SSL pipeline, which manages renewals seamlessly.
– Continuous monitoring of certificates using CT logs to quickly respond to any potential mis-issuance.
The call to action for security and compliance professionals is clear: to embrace modern practices that enhance security while minimizing management overheads, thereby reducing risk and improving operational effectiveness.