Mdthbs

Can a broken/split chain be reassembled?

A simple game that keeps track of the number of questions asked

Is this a Sherman, and if so what model?

How can this Stack Exchange site have an animated favicon?

Detect duplicates without exposing underlying data

My manager quit. Should I agree to defer wage increase to accommodate budget concerns?

Which place in our solar system is the most fit for terraforming?

Social leper versus social leopard

Would Taiwan and China's dispute be solved if Taiwan gave up being the Republic of China?

I reverse the source code, you negate the input!

Strange Sticky Substance on Digital Camera

How do pilots align the HUD with their eyeballs?

What can a pilot do if an air traffic controller is incapacitated?

Why did UK NHS pay for homeopathic treatments?

How can I repair this gas leak on my new range? Teflon tape isn't working

Is it true that, "just ten trading days represent 63 per cent of the returns of the past 50 years"?

Organisational search option

Is it possible to encode a message in such a way that can only be read by someone or something capable of seeing into the very near future?

How do I deal with too many NPCs in my campaign?

Magneto 2 How to call Helper function in observer file

Meaning of 'ran' in German?

Does HTTP HSTS protect a domain from a bad-actor publically-trusted-CA issing a illegitimate valid certificate?

Why are there two fundamental laws of logic?

Are Custom Indexes passed on to Sandboxes

Does HTTP HSTS protect a domain from a bad-actor publically-trusted-CA issing a illegitimate valid certificate?

How to become an internationally recognized certificate authority (CA)?Did google chrome kill public key pinning?How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove?How practical is a certificate's “basic constraint” property in protecting my HTTPS / SSL session?Is there a problem with issuing a HSTS header in PHP?Security Certificate not from a valid authorityIs there any use in an AIA Extension in a Certificate directly issued by a Root CA?Why are root certificate authorites allowed to issue certificates for any domain?When GeoTrust CA issues certificate for the domain Google, does it also provide private key to Google by which the certificate is digitally signed?Can the subdomains have different certificates from the main domain if I use HSTS includeSubDomains and preload?Should the Strict-Transport-Security max-age be tied to the duration of the certificate?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

5

1

• 
  

  Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?

  
  
  

  for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle

  
  



• Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?

http public-key-infrastructure certificate-authority trust hsts

share|improve this question

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)
  
  – I'm a TI calculator
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains
  
  – ThorSummoner
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804
  
  – ThorSummoner
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?
  
  – I'm a TI calculator
  7 hours ago
  

  
  
  
  

add a comment
 | 

5

1

• 
  

  Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?

  
  
  

  for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle

  
  



• Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?

http public-key-infrastructure certificate-authority trust hsts

share|improve this question

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Depending on how the HSTS is set-up on the particular site(subdomains and so on..), the browser does not ask anything further than a valid certificate for an HSTS site. That means it doesn’t require the certificate to be same exact as the last time site was visited. You’d think that’s a liability but not so much. Local ARP/DNS spoofing won’t allow you to generate a publicly-trusted CA, all modern browser will throw red flags. There is a risk though that a particular website gets hijacked.. but then would they even need to replace the cert? :)
  
  – I'm a TI calculator
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @I'maTIcalculator I suppose my hope was that the certificate wanted to be trusted would be bundled and distributed by, for example, the browser vendor, such that the browser software would have no need to ask the host for any certificate and check validity, but could instead assume any other certificate than the one bundled is invalid. I know that's a lot to ask, and probably far out of line with how much of the industry wants to operate. I suppose what I really want is to require my organizations CA to have signed all certificates that are considered publicy valid for my organizations domains
  
  – ThorSummoner
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  In-case anyone else is pondering how to become a CA, its amazing: security.stackexchange.com/a/177897/53804
  
  – ThorSummoner
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How many man hours did it take you to submit, then audit and so on? Was it worth it in the end? Curious to know what’s the total % or # of sites with a valid CA on the web today, can’t be much.. maybe you know?
  
  – I'm a TI calculator
  7 hours ago
  

  
  
  
  

add a comment
 | 

• 
  

  Does HTTP HSTS protect a domain from a bad-actor publicly-trusted-CA issuing a illegitimate valid certificate?

  
  
  

  for examples of publicly-trusted-CA's any of the members of the Mozilla CA Bundle

  
  



• Is there any way to protect a domain from having an illegitimate but publicly trusted CA issue a valid certificate?

http public-key-infrastructure certificate-authority trust hsts

share|improve this question

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

share|improve this question

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

share|improve this question

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

asked 8 hours ago

ThorSummonerThorSummoner

17411 silver badge55 bronze badges

1 Answer
1

active

oldest

votes

6

No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.

There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).

Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.

Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.

A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.

share|improve this answer

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think your answer beats mine! Delete time...
  
  – Conor Mancone
  7 hours ago
  

  
  
  
  

add a comment
 | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218371%2fdoes-http-hsts-protect-a-domain-from-a-bad-actor-publically-trusted-ca-issing-a%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

6

No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.

There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).

Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.

Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.

A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.

share|improve this answer

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think your answer beats mine! Delete time...
  
  – Conor Mancone
  7 hours ago
  

  
  
  
  

add a comment
 | 

6

No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.

There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).

Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.

Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.

A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.

share|improve this answer

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I think your answer beats mine! Delete time...
  
  – Conor Mancone
  7 hours ago
  

  
  
  
  

add a comment
 | 

No, HSTS does not protect against certificate misissuance. HSTS simply tells the browser to only allow connecting to that site over HTTPS, it doesn't have anything to do with checking whether the certificate should be trusted.

There are two things that can help with misissuance to some extent, Certificate Transparency (CT) and Certificate Authority Authorization (CAA).

Certificate Transparency won't prevent misissuance by a CA, but it requires that certificates are publically logged, so you can check and see if any certificates have been issued for your domain that shouldn't have been. Since 2018 Google Chrome has required that all new certificates issued be CT logged in order to be trusted. Firefox does not yet unfortunately, but in practice all certificates issued these days are CT logged as otherwise they would not work with Chrome.

Certificate Authority Authorization allows you to indicate which CAs are allowed to issue certificates for your domain using a DNS record. This will prevent accidental issuance by a CA, but of course a bad actor will just ignore it.

A third option is HPKP, which allows you to pin a specific certificate that must be used for your domain (it needn't be a leaf certificate, pinning your CA's root would be somewhat similar to using CAA), but it has fallen out of favor and is no longer supported by Chrome.

share|improve this answer

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges

share|improve this answer

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges

answered 8 hours ago

AndrolGenhaldAndrolGenhald

14.1k55 gold badges3737 silver badges4444 bronze badges