-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
https: New option to validate, CertSignature #50
Conversation
It seems signature will change on each renewal, i will see how to extract subject public key. |
6e12610
to
b099458
Compare
This option validates signature of remote certificate. It is always possible that malicious actor might put MITM node and obtain his own certificate. In fact such attack already happened, one of well documented cases: https://notes.valdikss.org.ru/jabber.ru-mitm/ The only way to detect such malicious intent is by validating certificate public key. Signed-off-by: Denys Fedoryshchenko <[email protected]>
Signed-off-by: Denys Fedoryshchenko <[email protected]>
b099458
to
d1db9c4
Compare
I have also small program to retrieve public key of website and format properly, but it is python, it is permissible to add it in docs or maybe create some directory like tools?
|
Does this actually work? Does this check if the final certificate is signed by the right key? Is that right key stable? I tries to think this one over earlier but did not figure it out. |
The initial approach was unsuccessful, but I'm currently testing an alternative method on my own infrastructure with promising results. However, there are some caveats to consider. I used your website as a reference point:
I noticed that the Subject Public Key Info is changing between renewals, which is bad for this monitoring. This behavior is also occurring on one of the project servers I manage, which is typical for default Certbot configurations. In contrast, I maintain some servers with relatively static setups where the public key remains consistent across renewals: After investigating, I discovered that Certbot generates a new key on each renewal by default. This behavior can be modified using the "reuse-key = True" option, which is beneficial for certificate pinning, DANE, and certain monitoring scenarios. We now face two options for key monitoring:
Given these considerations, I'm still evaluating whether pursuing this option is worthwhile. Both approaches have their merits and drawbacks in terms of security and practicality. |
It seems majority of solutions are changing key, so this feature unlikely will be useful :( Closing PR |
This option validates signature of remote certificate.
It is always possible that malicious actor might put MITM
node and obtain his own certificate.
In fact such attack already happened, one of well documented cases:
https://notes.valdikss.org.ru/jabber.ru-mitm/
The only way to detect such malicious intent is by validating
certificate signature.