EDR: Why Are Self-Signed Certificates Used For Sensor Communication?
book
Article ID: 287229
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why are self-signed certificates used for sensor communication?
Environment
EDR Server: All Versions
EDR Sensor: All Versions
Resolution
Sensor to server communications use statically pinned SSL certificates for both client and server. At the time of sensor download, the server's certificate is burned into the sensor by default.
Additional Information
The use of self-signed certificates provides zero decrease to security. In fact, it provides an increase in overall security. The guidance of "self-signed certificates are bad" is limited to their use in web browsers with a system of distributed trust, not machine-to-machine communications.
In all subsequent communications, the sensor validates the certificate provided by the server matches exactly what was burned in. Likewise, the server provides each sensor a client certificate, signed by the server's unique CA. After the sensor validates the server's certificate, the server demands a client certificate. The client certificate is checked against a list of specific valid client certificates; if it does not match the connection is terminated. Contrast this with the SSL ecosystem in the browser: since the website does not have the luxury of pre-deploying a specific certificate on every browser, they must rely on Certificate Authorities. Those CAs deploy their root certificate in all the major browsers, then they issue certificates to individual domain names after validating ownership. The addition of a 3rd party into the mix decreases overall security, by introducing additional attack surface that must be protected. While unlikely, examples like the compromise at Diginotar and poor validation practices at Verisign demonstrate the risk of using CAs is real.