One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1144721 |
| Date de publication | 2019-06-07 13:00:00 (vue: 2019-06-07 16:00:40) |
| Titre | A Guide to Mobile TLS Certificate Pinning (2019) |
| Texte |
Cybersecurity professionals know what they’re up against.
The type, number and severity of cyberattacks grows with time. Hackers display no shortage of cunning and ingenuity in exploiting security vulnerabilities, compromising important data and inflicting damage to both individuals and organizations.
Cybersecurity professionals also know that their defenses must evolve along with the attacks, requiring them to display even more ingenuity than hackers when creating security tools. They also need to pile those tools on top of one another in order (depth in defense) to make life as difficult as possible for hackers.
TLS Certificates
One such security precaution is the issuance of transport layer security (TLS) certificates by trusted Certificate Authorities (CAs). While the main purpose of TLS pinning is identity assurance, TLS also provides confidentiality and integrity of data using PKI, which can improve assurance of the identity of the endpoint. After verifying the website server’s identity, the certificates create encrypted channels of communication between that server and visitors.
Unsurprisingly, hackers have devised workarounds to these certificates, even going as far as buying and selling forged TLS certificates on the dark web. The mere existence of a TLS certificate is no longer enough to guarantee secure internet communication between web servers and clients.
To stay ahead of hackers, the arms race continues.
One such additional measure is known as TLS pinning, which offers an additional layer of security that meshes nicely with what the certificate issuance system already does.
Given the growing severity of cyberattacks on mobile devices and platforms, here’s what TLS pinning means for mobile users and how it affects the downloading of new mobile apps.
What TLS Certificates do and How They Work
TLS certificates work through the “magic” of public key encryption.
The central principle behind public key encryption is that two parties, A and B, who wish to send messages to one another without any third party, C, reading their messages can best do so if each has both a public and a private key that they can use to encrypt and decrypt messages.
The public key encryption process allows A to craft a message for B and use their public key — which is available to the public — to turn that message into encrypted gibberish. The only thing that will be able to turn the gibberish back into the original message is B’s private key, which only B has access to.
As long as B doesn't lose their private key and keeps others from stealing it, it won’t matter if C is able to intercept and read A’s message to B. It will be unreadable to anyone but B. The same is true for any message that B sends to A. B encrypts their message with their public key and only A’s private key will be able to decrypt it.
HTTPS is the TLS Highway
TLS certificates allow web servers to securely communicate with clients protected by public key encryption. Hypertext Transfer Protocol (HTTP) is the standard communication protocol on the internet and Hypertext Transfer Protocol Secure (HTTPS) is the version that uses public key encryption. In HTTPS, communication is secured through a |
| Envoyé | Oui |
| Condensat | 2019 > border:0;margin:0;padding:0; certificate com/i/googleplus20 feedblitz guide mobile pinning png style= tls |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.