Microsoft Considering Public-Key Pinning for Internet Explorer

JMH

Emeritus, Contributor
Joined
Apr 2, 2012
Posts
7,197
Microsoft is considering adding public-key pinning–an important defense against man-in-the-middle attacks–to Internet Explorer.

The feature is designed to help protect users against the types of MITM attacks that rely on forged certificates, which comprise a large portion of those attacks. Attackers use forged or stolen certificates to trick victims’ browsers into trusting a malicious site that the attacker controls. Public-key pinning helps prevent those attacks by binding a set of public keys issued by a trusted certificate authority to a specific domain. With that defense in place, if the user visits the site and is presented with a key that’s not part of the pinned set, the browser will reject the secure connection.

Public-key pinning as an extension to HTTP is laid out in an Internet-Draft submitted to the IETF by a group of Google security engineers in October. The draft makes it clear that in order for the system to work, site operators must be up to the task.
Microsoft Considering Public-Key Pinning for Internet Explorer | Threatpost | The first stop for security news
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top