Topic ""Don't use Windows Cert. Store" checkbox in Advanced Site Settings: TLS/SLL"

Author Message
GuestX1

Guest


Request: add "Don't use Windows Certificate Store" checkbox in Advanced Site Settings: TLS/SLL (and the equivalent entry for scripting)

Why: if I know that I control the server and the clients, I don't want the certificates issued by other Certificate Authorities to be allowed for a connection. I believe this option would be enough to provide that?

Please suggest if there's any other way to achieve the goal of being sure only own issued certificates are used for TLS transfers for the desired destinations.
Advertisements
Guest




Alternatively, a little different option would be: "Trust only this CA" where the CA name and checksum are specified. That would accept the connection only if the certificate is signed by the specified CA.
martin◆
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26890
Location: Prague, Czechia
Thanks for your suggestion.
Will see if more people ask for this.
Guest




Making sure that not other certificates are used is already a feature in SSH protocol. As far as I understand, WinSCP already allows the check of the certificate hash for the SSL/TLS but, unfortunately, only if the route through the Windows store fails, allowing the attackers to misuse any of the trusted CAs for the MITM attack. Trusting other CAs is not a good approach for anybody who maintains his own server and the clients, and it's not paranoia but really an issue, see the list of the known public failures:

https://cromwell-intl.com/cybersecurity/pki-failures.html


    Comodo, October 2016

    GlobalSign, October 2016

    National Informatics Centre of India, July 2014

    ANSSI, December 2013

    Mozilla's reaction to the problem trend, February 2013

    Trustwave, February 2012

    Türktrust, August 2011 — January 2013

    DigiNotar, June–September 2011Comodo, March 2011


Google, to solve the problems actually seen, for HTTPS and first for their own servers and the client (Chrome) also introduced the concept of the "certificate pinning":

https://tools.ietf.org/html/rfc7469

However even without inventing the new modes of "pinning" for which the servers would have to be enhanced you can allow the users of WinSCP to control which certificates and authorities they want to trust in WinSCP using the code that you already wrote! It's just a few new ifs and adding the interface (in the case you accept the first "checkbox" proposal).

Thank you once again in considering that possibility.[/b]
Advertisements

You can post new topics in this forum

Search

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License