3. ASUS delivers BIOS/UEFI auto-updates over HTTP with no verification

ASUS delivers BIOS/UEFI auto-updates over HTTP with no verification

Many of these apply to using a LE or Commercial CA cert as well, and your program will need to be programmed to check certificates against the OS's store or its own either way.

That isn't how the APIs are structured.

If you're using an installed CA, you can just ask the OS to get a file over HTTPS and it will either throw an exception or it will succeed. If you want to use a custom CA it is more involved because you have to take over various parts of the process, to add logic which would check the CA the other side's certificate is attempting to use then drop the connection if it is invalid/unknown.

To get specific, in C# you can just use the WebClient Class to download files over HTTPS using a known (to the OS) CA and certificate signed by that CA. To implement custom certificate or CA verification you cannot use WebClient and instead have to utilise something like an x509 certificate validator callback on a WebRequest. Not rocket science but more involved.

Also, please don't use serial numbers for verification, wtf.

You're talking about using a custom CA for HTTPS or code signing. If you want to assure that only your company's custom CA get utilised in this process, and not some other CA then you'll need some way of verifying who the CA is in your software.

There's tons of things you could check to verify the custom CA is your CA, including serial number, thumbnail, and various other metadata. You cannot just allow any CA or certificate as a "bad guy" could just create their own.

Where do you get this number?

Wages. Two members of staff, sitting in a room planning this out. Let's say it only takes an hour, it could easily be $50, and that doesn't include benefits and other costs. This is a meeting which could be avoided by just buying a certificate and simplifying the workflow.

Most companies should use dedicated HSMs for storing and generating these keys...it takes maybe 15 minutes at most.

And what's the wage cost of setting that up? Likely more than a certificate from a standard CA.

Use a third party library for this, it's called certificate pinning.

Actually it isn't. Certificate pinning requires you to validate the certificate then store that certificate's unique info (e.g. serial) for a set period of time as the "known good" certificate for a given host. What you're proposing is quite different, using a self-signed certificate that cannot be validated through normal means and requires you to manually validate the certificate using logic within the software, install a custom CA, or similar.

/r/sysadmin Thread Parent Link - teletext.zaibatsutel.net
Previous
Next

Recently removed from /r/sysadmin

I know of a crazy vulnerable Exchange server at my old work. What to do? Details inside. Intune Windows LAPS - Configuration Profile Applies Successfully, Yet Nothing Happens...Why? Woman starting in IT next month. Should I be worried or not? How to run a meaningful CyberSecurity Risk Workshop/Assesment Amazon Outage I don't know what I'm doing and I need help What's the point of using BitLocker with TPM instead of password when someone can always access your computer without entering a password on boot? How many of you despise IoT? Onboarding 1200 New Users - how to communicate passwords? Gen Z also doesn't understand desktops. after decades of boomers going "Y NO WORK U MAKE IT GO" it's really, really sad to think the new generation might do the same thing to all of us Modern SQL Express Backup Solution [GA] Employee claims she can't use Microsoft Windows for "Religious Reasons" So I got a "correctional talk" yesterday. Rant about new age "senior" IT "specialists" who don't know how to wipe their butt. Do you think remote work is slowly dying? Most companies seem to be pushing RTO, even big tech you folks think ?

More Random Comments

I can't speak for everyone here, but TIL that the inventor of Linux announced his project by saying "I'm doing a free operating system (just a hobby, won't be big and professional)". Today it it used by 3/4 of all servers, all Android devices, and the top 10 supercomputers. I created a coin minimizer for DnD 5e What experience made you grow the fuck up? Why will the Giants win the World Series? Why won't they? (Odd year/Not-Even year is NOT an acceptable answer!) This is why there are so few women in tech. What experience made you grow the fuck up? We've really gotta sort this out guys. (x-post /r/chemicalreactiongifs) [Serious] What is your opinion of people who commit suicide? [Serious] What is your opinion of people who commit suicide? So massively triggered now, please help!!!! Huge triggers inside [Serious] What is your opinion of people who commit suicide? This is why there are so few women in tech. Spirituality and Personal Power Parents of ASD children, can you share the thoughts and emotions you have experienced since your children's diagnoses