"Don't use Windows Cert. Store" checkbox in Advanced Site Settings: TLS/SLL

Advertisement

GuestX1
Guest

"Don't use Windows Cert. Store" checkbox in Advanced Site Settings: TLS/SLL

Request: add "Don't use Windows Certificate Store" checkbox in Advanced Site Settings: TLS/SLL (and the equivalent entry for scripting)

Why: if I know that I control the server and the clients, I don't want the certificates issued by other Certificate Authorities to be allowed for a connection. I believe this option would be enough to provide that?

Please suggest if there's any other way to achieve the goal of being sure only own issued certificates are used for TLS transfers for the desired destinations.

Reply with quote

Advertisement

Guest

Alternatively, a little different option would be: "Trust only this CA" where the CA name and checksum are specified. That would accept the connection only if the certificate is signed by the specified CA.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: "Don't use Windows Cert. Store" checkbox in Advanced Site Settings: TLS/SLL

Thanks for your suggestion.
Will see if more people ask for this.

Reply with quote

Guest

Re: "Don't use Windows Cert. Store" checkbox in Advanced Site Settings: TLS/SLL

Making sure that not other certificates are used is already a feature in SSH protocol. As far as I understand, WinSCP already allows the check of the certificate hash for the SSL/TLS but, unfortunately, only if the route through the Windows store fails, allowing the attackers to misuse any of the trusted CAs for the MITM attack. Trusting other CAs is not a good approach for anybody who maintains his own server and the clients, and it's not paranoia but really an issue, see the list of the known public failures:
https://cromwell-intl.com/cybersecurity/pki-failures.html
Comodo, October 2016
GlobalSign, October 2016
National Informatics Centre of India, July 2014
ANSSI, December 2013
Mozilla's reaction to the problem trend, February 2013
Trustwave, February 2012
Türktrust, August 2011 — January 2013
DigiNotar, June–September 2011Comodo, March 2011[/list]
Google, to solve the problems actually seen, for HTTPS and first for their own servers and the client (Chrome) also introduced the concept of the "certificate pinning":
https://datatracker.ietf.org/doc/html/rfc7469

However even without inventing the new modes of "pinning" for which the servers would have to be enhanced you can allow the users of WinSCP to control which certificates and authorities they want to trust in WinSCP using the code that you already wrote! It's just a few new ifs and adding the interface (in the case you accept the first "checkbox" proposal).

Thank you once again in considering that possibility.

Reply with quote

Advertisement

You can post new topics in this forum