4

A third party my system needs to connect to (via FTPS) is using a certificate that is not trusted by machine (unknown certificate).

If I want to avoid installing the certificates from the issuing authority on every server that my application needs to run on, could I as an alternative just get the third party to confirm the SHA-256 fingerprint of their certificate in advance, and just override my certificate validation logic to check the fingerprint?

Would that provide the same level of security as installing the certificates from the issuing authority?

I have read the answers to this question, and it makes me think that this is fine, but my question is about configuring my application with the fingerprints and using them to validate received certificates rather than manually checking fingerprints while browsing etc.

Ergwun
  • 143
  • 4

1 Answers1

3

What you are referring to is usually called pinning, i.e. check that the certificate or the public key in it are known to the application by either comparing the certificate/pubkey itself or using a fingerprint for validation.

This is a perfectly valid way to validate a certificate as long as the fingerprint is strong enough, i.e. SHA-256 is fine while MD5 is long considered broken and practical attacks against SHA-1 were just shown so it is bad too. But, having only pinning does not offer a way for the client to check for certificate revocation. This might be fine if the certificate check is done inside an application and the application will be quickly updated with a new fingerprint when needed but it is not a good idea if there is no way to update the expected fingerprint in a secure way.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465