{"id":3633,"date":"2013-04-04T14:42:40","date_gmt":"2013-04-04T13:42:40","guid":{"rendered":"http:\/\/www.solucominsight.fr\/?p=3633"},"modified":"2019-12-31T11:42:17","modified_gmt":"2019-12-31T10:42:17","slug":"epinglez-vos-certificats","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2013\/04\/epinglez-vos-certificats\/","title":{"rendered":"\u00c9pinglez vos certificats !"},"content":{"rendered":"<p>Dans <a href=\"http:\/\/www.solucominsight.fr\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\" target=\"_blank\" rel=\"noopener noreferrer\">un article pr\u00e9c\u00e9dent<\/a>, nous \u00e9tudiions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201c<em>certificate pinning<\/em>\u201d, que l\u2019on peut traduire &#8211; un peu maladroitement &#8211; par \u201c\u00e9pingler les certificats\u201d.<\/p>\n<h2>HTTPS ou le r\u00e8gne de \u201cla confiance aveugle\u201d<\/h2>\n<p>Lorsqu\u2019un utilisateur se connecte \u00e0 un site internet via le protocole chiffr\u00e9 HTTPS, c\u2019est le protocole SSL (<em>Secure Socket Layer<\/em>) qui se charge du chiffrement. Pour ce faire, des m\u00e9canismes de cryptographie asym\u00e9trique sont employ\u00e9s.<\/p>\n<p>Le navigateur web de l\u2019utilisateur va tenter de v\u00e9rifier l\u2019identit\u00e9 du serveur auquel il se connecte. Pour cela, le serveur pr\u00e9sente au navigateur un certificat X.509, contenant notamment sa cl\u00e9 publique et une signature. Le navigateur va alors v\u00e9rifier la validit\u00e9 de la signature, puis utiliser la cl\u00e9 publique afin d\u2019\u00e9changer une cl\u00e9 de session qui sera utilis\u00e9e pour chiffrer l\u2019ensemble des communications de mani\u00e8re sym\u00e9trique.<\/p>\n<p>Le navigateur v\u00e9rifie ensuite la validit\u00e9 de la signature en s\u2019assurant de l\u2019existence d\u2019une cha\u00eene de confiance (<em>chain of trust<\/em>) entre le certificat et l\u2019une des autorit\u00e9s de certification de confiance. Qui sont ces autorit\u00e9s de confiance ? C\u2019est en tentant de r\u00e9pondre \u00e0 cette question que l\u2019on r\u00e9alise la fragilit\u00e9 du syst\u00e8me actuel.<\/p>\n<p>Pour que le navigateur accepte la connexion, il va remonter la cha\u00eene de confiance jusqu\u2019\u00e0 l\u2019autorit\u00e9 de confiance racine et s\u2019assurer que celle-ci est pr\u00e9sente dans le magasin de certificats.<\/p>\n<figure id=\"attachment_3634\" aria-describedby=\"caption-attachment-3634\" style=\"width: 515px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/www.solucominsight.fr\/2013\/04\/epinglez-vos-certificats\/im1\/\" rel=\"attachment wp-att-3634\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3634\" title=\"im1\" src=\"http:\/\/www.solucominsight.fr\/wp-content\/uploads\/2013\/04\/im1.png\" alt=\"\" width=\"515\" height=\"113\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2013\/04\/im1.png 515w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2013\/04\/im1-437x96.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2013\/04\/im1-71x16.png 71w\" sizes=\"auto, (max-width: 515px) 100vw, 515px\" \/><\/a><figcaption id=\"caption-attachment-3634\" class=\"wp-caption-text\">Dans le cas de l\u2019acc\u00e8s au moteur de recherche Google en HTTPS, l\u2019autorit\u00e9 racine est Equifax.<\/figcaption><\/figure>\n<p>Le navigateur Firefox, par exemple, dispose de son propre magasin de certificats auxquels il fait confiance. D\u2019autres, comme Internet Explorer ou Chrome, se basent sur le magasin de certificats du syst\u00e8me d\u2019exploitation.<\/p>\n<p>Et par d\u00e9faut, ces magasins regorgent d\u2019autorit\u00e9s de certification, de tous pays ! Le navigateur Firefox en compte plus d\u2019une centaine.<\/p>\n<figure id=\"attachment_3635\" aria-describedby=\"caption-attachment-3635\" style=\"width: 422px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/www.solucominsight.fr\/2013\/04\/epinglez-vos-certificats\/im2\/\" rel=\"attachment wp-att-3635\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-3635\" title=\"im2\" src=\"http:\/\/www.solucominsight.fr\/wp-content\/uploads\/2013\/04\/im2.png\" alt=\"\" width=\"422\" height=\"398\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2013\/04\/im2.png 757w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2013\/04\/im2-203x191.png 203w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2013\/04\/im2-41x39.png 41w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/a><figcaption id=\"caption-attachment-3635\" class=\"wp-caption-text\">Extrait des autorit\u00e9s de certifications racines auxquelles Firefox fait confiance par d\u00e9faut<\/figcaption><\/figure>\n<p>Il suffit donc qu\u2019une seule de ces autorit\u00e9s de certification d\u00e9livre, par erreur ou plus vraisemblablement suite \u00e0 une attaque, un certificat valide pour \u201c*.google.com\u201d pour que des attaquants puissent mener une attaque de type Man-in-the-Middle. En se faisant passer pour un serveur l\u00e9gitime de Google, ils pourront intercepter et d\u00e9chiffrer les \u00e9changes entre le navigateur et le serveur&#8230; Cette menace ne rel\u00e8ve malheureusement pas du domaine de la science-fiction, comme le prouve <a href=\"http:\/\/www.zdnet.fr\/actualites\/piratee-l-autorite-de-certification-diginotar-est-en-faillite-39764136.htm\">l\u2019exemple de Diginotar<\/a> en 2010.<\/p>\n<p>De plus, dans le cas d\u2019\u00e9changes d\u2019informations strat\u00e9giques, la menace \u00e9tatique doit \u00eatre prise en compte. Que se passerait-il si le gouvernement d\u2019un pays demandait \u00e0 l\u2019une des autorit\u00e9s de certification de ce pays, faisant partie de la liste des autorit\u00e9s de confiance racine de Firefox, de signer un certificat valide pour mail.google.com ? Cette soci\u00e9t\u00e9 serait-elle en position de refuser, ou de communiquer \u00e0 ce sujet ? La r\u00e9ponse est, sans doute, non ; dans ce cas, le navigateur accepterait le vrai-faux certificat et n\u2019afficherait aucune alerte \u00e0 l\u2019utilisateur.<\/p>\n<h2>Limiter la confiance dans les autorit\u00e9s de certification<\/h2>\n<p>Afin de se pr\u00e9munir des deux sc\u00e9narios envisag\u00e9s, il est possible d\u2019utiliser le protocole SSL d\u2019une autre fa\u00e7on, en cr\u00e9ant une association entre le nom de domaine d\u2019un site (<a href=\"http:\/\/www.google.com\">www.google.com<\/a>) et le certificat ou l\u2019autorit\u00e9 de certification attendus. Ainsi, seul le certificat attendu ou un certificat sign\u00e9 par l\u2019une des autorit\u00e9s de certification attendues sera accept\u00e9 et une alerte sera lev\u00e9e si un autre est pr\u00e9sent\u00e9.<\/p>\n<p>Il est alors n\u00e9cessaire de disposer d\u2019un r\u00e9f\u00e9rentiel de ces associations (site internet \/ certificat) valides, ou de le construire au fur et \u00e0 mesure de la navigation sur les sites. Malheureusement, ce type de m\u00e9canisme n\u2019est pas r\u00e9ellement pris en compte par les navigateurs. Il peut cependant se faire au moyen de modules additionnels, comme <a href=\"https:\/\/addons.mozilla.org\/fr\/firefox\/addon\/certificate-patrol\/\">Certificate Patrol<\/a> pour Firefox.<\/p>\n<p>Google Chrome r\u00e9alise d\u00e9j\u00e0 une validation de ce type, pour un nombre limit\u00e9 de sites. Le fichier qui contient la liste blanche des sites pour lesquels <a href=\"http:\/\/www.solucominsight.fr\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\">HSTS<\/a> est activ\u00e9 par d\u00e9faut contient \u00e9galement la liste des sites pour lesquels le pinning est activ\u00e9 :<\/p>\n<pre>{\r\n \u00a0 \"pinsets\": [\r\n [\u2026]\r\n \u00a0\u00a0\u00a0 {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 \"name\": \"google\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 \"static_spki_hashes\": [\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"VeriSignClass3\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"VeriSignClass3_G3\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"Google1024\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"Google2048\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"GoogleBackup1024\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"GoogleBackup2048\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"EquifaxSecureCA\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"GeoTrustGlobal\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 ],\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 \"bad_static_spki_hashes\": [\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"Aetna\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"Intel\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"TCTrustCenter\",\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"Vodafone\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 ]\r\n \u00a0\u00a0\u00a0 },<\/pre>\n<pre>[\u2026]<\/pre>\n<pre>\"entries\": [\r\n \u00a0\u00a0\u00a0 \/\/ Dummy entry to test certificate pinning.\r\n \u00a0\u00a0\u00a0 { \"name\": \"pinningtest.appspot.com\", \"include_subdomains\": true, \"pins\": \"test\" },\r\n\r\n \u00a0\u00a0\u00a0 \/\/ (*.)google.com, if using SSL, must use an acceptable certificate.\r\n \u00a0\u00a0\u00a0 { \"name\": \"google.com\", \"include_subdomains\": true, \"pins\": \"google\" },<\/pre>\n<p><em style=\"color: #000000;\">Extrait du fichier <\/em><a href=\"https:\/\/src.chromium.org\/viewvc\/chrome\/trunk\/src\/net\/base\/transport_security_state_static.json\"><em>transport_security_state_static.json<\/em><\/a><\/p>\n<p>Google Chrome va donc v\u00e9rifier, lors de la connexion \u00e0 un site du type \u201cgoogle.com\u201d, que le certificat est valide et qu\u2019il est sign\u00e9 par une des autorit\u00e9s de certification autoris\u00e9es. Il semblerait de plus que cette information soit remont\u00e9e aux serveurs de Google\u00a0: c\u2019est ainsi qu\u2019a pu \u00eatre d\u00e9couvert et rendu publique <a href=\"https:\/\/blog.mozilla.org\/security\/2013\/01\/03\/revoking-trust-in-two-turktrust-certficates\/\">le cas du certificat interm\u00e9diaire distribu\u00e9 par Turktrust<\/a>.<\/p>\n<p>L\u2019utilisation du <em>pinning<\/em> est la plupart du temps observ\u00e9e dans le cas d\u2019applications mobiles, puisqu\u2019il est alors facile pour le d\u00e9veloppeur d\u2019inclure le certificat attendu dans le paquet de l\u2019application. Pour les navigateurs internet, seul le recours aux modules additionnels est possible, \u00e0 moins de modifier le fichier source en extrait ci-dessus et de recompiler, ce qui n\u2019est sans doute pas la solution la plus simple.<\/p>\n<p>L\u2019<a href=\"https:\/\/www.owasp.org\">OWASP<\/a> a r\u00e9cemment publi\u00e9 une <a href=\"https:\/\/www.owasp.org\/index.php\/Pinning_Cheat_Sheet\">cheatsheet<\/a>, ainsi qu\u2019un <a href=\"https:\/\/www.owasp.org\/index.php\/Certificate_and_Public_Key_Pinning\">article plus d\u00e9taill\u00e9<\/a>, sur la mise en \u0153uvre technique du <em>pinning<\/em>, notamment dans le contexte du d\u00e9veloppement d\u2019applications mobiles.<\/p>\n<p>Bien que difficile \u00e0 g\u00e9n\u00e9raliser, l\u2019utilisation du <em>pinning<\/em> semble une \u00e9volution logique pour r\u00e9pondre aux risques li\u00e9s aux hi\u00e9rarchies de confiance. Cette initiative est \u00e0 conseiller pour les syst\u00e8mes bien ma\u00eetris\u00e9s, comme les applications mobiles et les VPN.<\/p>\n<p>Pour le d\u00e9ploiement dans les navigateurs internet, il faudra malheureusement attendre que les principaux acteurs int\u00e8grent cette fonctionnalit\u00e9. On pourrait imaginer, dans un contexte professionnel, pouvoir indiquer au navigateur de n\u2019accepter que les certificats issus de la PKI interne pour les sites d\u2019entreprise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudiions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons&#8230;<\/p>\n","protected":false},"author":1269,"featured_media":3024,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3223,36],"tags":[1241,183,958,959,67,3302],"coauthors":[2765],"class_list":["post-3633","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-next-gen-it-security","category-cybersecurity-digital-trust","tag-cyberattaque","tag-cybercriminalite","tag-http","tag-https","tag-internet","tag-security-architecture"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>\u00c9pinglez vos certificats !<\/title>\n<meta name=\"description\" content=\"Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201ccertificate pinning\u201d, que l\u2019on peut traduire - un peu maladroitement - par \u201c\u00e9pingler les certificats\u201d.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u00c9pinglez vos certificats !\" \/>\n<meta property=\"og:description\" content=\"Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201ccertificate pinning\u201d, que l\u2019on peut traduire - un peu maladroitement - par \u201c\u00e9pingler les certificats\u201d.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2013-04-04T13:42:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-12-31T10:42:17+00:00\" \/>\n<meta name=\"author\" content=\"zephSolucomBO\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"zephSolucomBO\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\"},\"author\":{\"name\":\"zephSolucomBO\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/61c2fe74fad6b31442e1706ccacf3421\"},\"headline\":\"\u00c9pinglez vos certificats !\",\"datePublished\":\"2013-04-04T13:42:40+00:00\",\"dateModified\":\"2019-12-31T10:42:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\"},\"wordCount\":1069,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage\"},\"thumbnailUrl\":\"\",\"keywords\":[\"Cyberattaque\",\"Cybercriminalit\u00e9\",\"http\",\"https\",\"internet\",\"security architecture\"],\"articleSection\":[\"Cloud &amp; Next-Gen IT Security\",\"Cybersecurity &amp; Digital Trust\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\",\"name\":\"\u00c9pinglez vos certificats !\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2013-04-04T13:42:40+00:00\",\"dateModified\":\"2019-12-31T10:42:17+00:00\",\"description\":\"Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201ccertificate pinning\u201d, que l\u2019on peut traduire - un peu maladroitement - par \u201c\u00e9pingler les certificats\u201d.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u00c9pinglez vos certificats !\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/61c2fe74fad6b31442e1706ccacf3421\",\"name\":\"zephSolucomBO\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/zephsolucombo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u00c9pinglez vos certificats !","description":"Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201ccertificate pinning\u201d, que l\u2019on peut traduire - un peu maladroitement - par \u201c\u00e9pingler les certificats\u201d.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/","og_locale":"en_US","og_type":"article","og_title":"\u00c9pinglez vos certificats !","og_description":"Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201ccertificate pinning\u201d, que l\u2019on peut traduire - un peu maladroitement - par \u201c\u00e9pingler les certificats\u201d.","og_url":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/","og_site_name":"RiskInsight","article_published_time":"2013-04-04T13:42:40+00:00","article_modified_time":"2019-12-31T10:42:17+00:00","author":"zephSolucomBO","twitter_misc":{"Written by":"zephSolucomBO","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/"},"author":{"name":"zephSolucomBO","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/61c2fe74fad6b31442e1706ccacf3421"},"headline":"\u00c9pinglez vos certificats !","datePublished":"2013-04-04T13:42:40+00:00","dateModified":"2019-12-31T10:42:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/"},"wordCount":1069,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage"},"thumbnailUrl":"","keywords":["Cyberattaque","Cybercriminalit\u00e9","http","https","internet","security architecture"],"articleSection":["Cloud &amp; Next-Gen IT Security","Cybersecurity &amp; Digital Trust"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/","url":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/","name":"\u00c9pinglez vos certificats !","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage"},"thumbnailUrl":"","datePublished":"2013-04-04T13:42:40+00:00","dateModified":"2019-12-31T10:42:17+00:00","description":"Dans un article pr\u00e9c\u00e9dent, nous \u00e9tudions comment am\u00e9liorer la s\u00e9curit\u00e9 des connexions HTTPS par l\u2019utilisation des m\u00e9canismes HTTP Strict Transport Security (HSTS). Cependant, nous \u00e9voquions \u00e9galement les risques r\u00e9siduels de d\u00e9chiffrement des \u00e9changes par l\u2019utilisation de \u201cvrais-faux\u201d certificats. Nous allons voir dans cet article comment mitiger ce risque, en utilisant une technique appel\u00e9e \u201ccertificate pinning\u201d, que l\u2019on peut traduire - un peu maladroitement - par \u201c\u00e9pingler les certificats\u201d.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/04\/epinglez-vos-certificats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"\u00c9pinglez vos certificats !"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/61c2fe74fad6b31442e1706ccacf3421","name":"zephSolucomBO","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/zephsolucombo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/3633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1269"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=3633"}],"version-history":[{"count":13,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/3633\/revisions"}],"predecessor-version":[{"id":12455,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/3633\/revisions\/12455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=3633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=3633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=3633"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=3633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}