Skip to content

TOFU and certificate pinning #69

New issue
New issue
Open
Open
TOFU and certificate pinning#69
Labels
featureuse for describing a new feature to developneeds triageuse to identify issue needing triage from Filigran Product team
@antoinemzs

Description

@antoinemzs
antoinemzs
opened on Apr 25, 2025

Note

This would be worth considering both for agent processes (this repo) and implant processes (OpenBAS-Platform/implant)

Context

TOFU: Trust on first use
Certificate pinning: remembering a specific certificate's signature to find out when it is swapped

Some users are having difficulties deploying an OBAS environment due to policies to use TLS internally. They often rely on an in-house PKI (or self-signed certs), and thus the CA will not be trusted out-of-the-box on the various hosts (especially in a lab situation where hosts would be specially purposed VMs with no specific setup).

The risk is that some OBAS deployment situations would risk tempting admins disabling TLS cert validation (to retain only transport encryption) if deploying a non-default CA cert on all involved machines proves costly, thus opening agent and implant processes to MitM.

Optional: enable admins to pre-embed a certificate for initial trust at install time

Use case

TOFU: the use case here is to allow using a certificate on the OBAS server signed by an untrusted CA, and would establish an implicit trust upon the very first TLS certificate obtained via the initial connection to the OBAS server.
The MitM attack surface here would be to be able to intercept the first connection, so that the agent trusts the wrong certificate; barring this scenario, agents would remember the correct certificate and thwart future MitM attempts.

Certificate pinning: TOFU's main usage spans a process lifetime. Typically processes would "forget" their TOFUed certificates on restart. Certificate pinning here serves as an offline ad-hoc store to reload the past TOFU knowledge on process restart. This would be most useful for session-based agents, but still useful for all kinds of agents.

Current Workaround

Manually install the CA cert in all hosts' OS cert store.

Proposed Solution

Implement TOFU and/or certificate pinning.

Additional Information

Here's a detailed rundown of what that entails in practice. There are caveats, but the use case is to facilitate early deployments.
https://duckpond.ch/tls-tofu/git-sync-mirror/kamikaze/security/2019/05/07/tofu-for-containers.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureuse for describing a new feature to developneeds triageuse to identify issue needing triage from Filigran Product team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions