SSL Certs & You
Killer Rhino.6794:
Hello, world
So, we’re all really excited for the GW2 APIs to be up. As a gesture of my gratitude to the devs, I’d like to share some technical points to consider when working with with ’dem shiny new endpoints.
Note: There is a lot more to Internet security that is outside the purpose of this post. For a really in-depth look into HTTPS, see Apple’s TN2232
HTTPS vs. HTTP
At its very basic, HTTPS is your average HTTP protocol placed over a layer of encryption. Encryption is done through SSL/TLS.
When connecting to a server via HTTPS, the protocoal expects the server to eventually provide a public key certificate. This certificate contains identity information, which can be evaluated by the client to verify that the server is really who it says it is.
Taking the server’s word for it
But that’s just half of the story. Just because a server claims to be api.guildwars2.com, doesn’t mean you can just take its word for it. Rather, public key certificates rely on a chain of trust, wherein another authority (CA) vouches for the server’s identify.
Note: Humans have agreed to, and have put collective faith in, a select group of authorities. This is a (somewhat) manual process; this is what VeriSign is often known for.
How to break the Internet
Turns out, some certificate authorities are more “well known” than others (it’s all politics, man). In the case with the certificate installed on the server hosting https://api.guildwars2.com, the SSL certificate was issued by an authority that has given some community developers grief, and they have decide to ignore server trust completely.
I’m going to guess that a good way to undermine ArenaNets’ support & proliferation of a public REST API is to have 100s of community projects sharing code that talk to their service without any checks and balances. But there’s still a decent way to ensure security.
Pinning your hopes, dreams, and cert
As an alternative to blindly tossing away any attempt at security a server will throw back at your client, there is something called cert pinning.
Once a server’s SSL certificate is made public, a client can copy the certificate’s “fingerprint” and validate it continues to match the cert signature on the server for every request made. This is known as cert pinning.
If you are developing an application that will be using cert pinning still be certain that the certificate being pinned is legit; however, you’re no longer at the mercy of companies like Oracle, who might not include the certificate’s authority in their list of acceptable CA’s.
Plus, it’s all the rage.
How to pin
If your preferred networking library doesn’t include cert pinning out-of-the-box, you can always hack it in to your project anyways. The site is a little slow, but this page has some pretty good examples for various platforms and languages.
end communication
Cliff Spradlin.3512:
Nice summary!
I’m also really interested in DANE / RFC 6698 because it reduces the trust required to just the domain registrar, who you’re already having to trust to return valid DNS results.