[wp-trac] [WordPress Trac] #25252: Pin the WordPress.org SSL certificates
WordPress Trac
noreply at wordpress.org
Tue Sep 17 03:30:55 UTC 2013
#25252: Pin the WordPress.org SSL certificates
-------------------------+--------------------
Reporter: rmccue | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.7
Component: HTTP | Version: trunk
Severity: normal | Resolution:
Keywords: |
-------------------------+--------------------
Comment (by dd32):
So, It sounds like Certificate Authority pinning is ideal, but, prone to
issues surrounding certificate expiry.
The other (more reliable) method of certificate pinning is to verify the
underlying public key of the cert, which remains static between
certificates even when they expire. This is unfortunately not available to
us, as cURL doesn't offer that functionality, public key verification is
most often used by compiled languages who have direct access to the
OpenSSL internal callbacks.
Certificate Authority Pinning - Which in our case [at present], would mean
we "pin" the GoDaddy Authority certificate by having a certificate file
which only includes the GoDaddy CA cert would mean we only ever trust
GoDaddy supplied certificates, and not certs signed by the 143 other
Authorities.
That however still has the hole which means that if GoDaddy ever
accidentally assigned a WordPress.org certificate to someone that wasn't
us (either through human error, system error, or, malicious intent), we'd
trust that "fake" certificate too. The way around this is for
WordPress.org to have a long-lived certificate itself (say, a 10 year
cert) which then signs the wordpress.org sites.
So it seems we have three options:
1. Leave as is, and trust any "valid" signed WordPress.org certificate
from any of the 144 Authorities (which is what we currently do)
2. Pin to the GoDaddy Authority Certificate for *.wordpress.org requests
(That GoDaddy certificate expires in 2026, The WordPress.org SSL certs
currently have a 3 year lifespan)
3. Get a long-lived certificate for WordPress.org, and use that as the
Authority that signs *.wordpress.org (Ie. it'd be Root CA (ie. Godaddy)
-> WordPress.org -> wordpress.org, *.wordpress.org, instead of, GoDaddy ->
wordpress.org, *.wordpress.org)
2 has the disadvantage that we'd be locked to using GoDaddy for our
signing needs for a significant amount of time, 3 requires getting a long
cert and switching out the certificates which we use.
If we were to go with number 2 above, that seems like it'd be possible
''now'', however, all future certificates would have to be signed by them
too. In addition, moving from 2 to 3, would mean that we would require the
intermediate certificate to be signed by GoDaddy as well.
I'm not entirely comfortable suggesting that WordPress.org should be
locked to using one particular signer, so to me that rules out !#2 above,
!#3 is a better option, but that would effectively lock WordPress.org in
long-term using that signer anyway..
I'm not entirely 100% clear on all this, so someone else may need to step
up and make some corrections here, and/or fill in any blanks.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25252#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list