An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com.
In the future, Company.com wants to mitigate the impact of similar incidents.
Which of the following would assist Company.com with its goal?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
In this scenario, an attacker has compromised a public Certificate Authority (CA) and issued unauthorized X.509 certificates for Company.com. This means that the attacker has the ability to generate certificates for any domain, including Company.com. This is a serious issue as the attacker can use these certificates to perform Man-in-the-Middle (MitM) attacks, intercept and modify encrypted traffic, and steal sensitive information. To mitigate the impact of similar incidents, Company.com can use the following measures:
A. Certificate pinning: Certificate pinning is a technique that ensures that a web browser or mobile app only trusts a specific SSL/TLS certificate or public key, rather than any certificate issued by a particular CA. This can help protect against attacks where an attacker uses a rogue certificate issued by a compromised or malicious CA to perform a MitM attack.
B. Certificate stapling: Certificate stapling is a technique where the server provides a digitally signed and timestamped version of its SSL/TLS certificate to the client during the initial TLS handshake. This helps to prevent attackers from using fake certificates to impersonate the server and perform MitM attacks.
C. Certificate chaining: Certificate chaining is the process of using multiple certificates to create a chain of trust from a root CA to the end entity (such as a web server or email server). This helps to ensure that the certificate is issued by a trusted CA and has not been tampered with.
D. Certificate with extended validation: Extended Validation (EV) certificates are SSL/TLS certificates that require a more rigorous validation process than regular certificates. This includes verifying the identity and physical location of the entity requesting the certificate. This helps to ensure that the certificate is issued to the correct entity and not to an attacker who has stolen the domain name or other credentials.
Out of the options given, A (certificate pinning) and B (certificate stapling) would be the most effective measures to assist Company.com in mitigating the impact of similar incidents in the future. Certificate chaining and EV certificates can also be used as additional security measures, but they are not as effective against attacks where a CA has been compromised.