Logo

PKI Consortium blog

Posts by author CA Security Council

    Google Plans to Deprecate SHA-1 Certificates – Updated
    September 24, 2014 by CA Security Council Announcement Attack CASC Chrome Code Signing Google Microsoft Policy SHA1 SSL/TLS

    UPDATED September 23, 2014: The following blog post has been updated with action taken in recent weeks, as well as to reflect helpful user comments left on our August 28 blog post on this topic.

    On August 19, Google announced a new policy that accelerates the deprecation of SHA-1 certificates, potentially causing websites using SHA-1 certificates to display warnings in the near future. While keeping with an earlier Microsoft announcement to accept SHA-1 certificates with an expiration date before Jan. 1, 2017, the Google policy will provide new “untrusted” warnings in regards to such certificates as early as this November.

    Google Plans to Deprecate SHA-1 Certificates
    August 28, 2014 by CA Security Council Attack CASC Chrome Code Signing Google Microsoft Policy SSL/TLS

    On August 19, Google announced a new policy that accelerates the deprecation of SHA-1 certificates, potentially causing websites using SHA-1 certificates to display warnings in the near future. With the change, Chrome 39 will show a warning for sites that have a SHA-1 certificate expiring in 2016 and require a click through warning for sites with a SHA-1 certificate expiring in 2017 or later. This proposal is scheduled for Chrome 39, which could be released as early as 12 weeks from now.

    CASC Heartbleed Response
    May 8, 2014 by CA Security Council CASC Chrome CRL Google Malware OCSP Revocation SSL/TLS

    The recent Heartbleed issue has reawakened interest in SSL certificate revocation (see Adam Langley’s blog, Larry Seltzer’s articles here and here, and Steve Gibson’s web pages)

    Several years ago, the CA Browser Forum convened a special Revocation Working Group to explore issues and solutions. Leading CAs were actively involved in that group, and many of them invested in moving their OCSP responders to high-performance, high-availability Content Delivery Networks (CDNs) to respond to browser vendors’ requests for increased performance and reliability.

    What Is Certificate Transparency and How Does It Propose to Address Certificate Mis-Issuance?
    September 9, 2013 by CA Security Council Attack Mis-issued OCSP Revocation SSL/TLS TSA

    As originally architected by Netscape and others in the mid-1990s, the certificate issuance process envisioned that the CA would present the certificate and its contents to the named subject who would review and accept the certificate first. Then the CA would publish the certificate to a repository. That process would establish that the certificate’s subject was aware of certificate issuance. (Otherwise, an unscrupulous CA could sign a subscriber’s public key and create a certificate for the subscriber without its knowledge.) The repository was also an independent means of obtaining and verifying the public key prior to initiating secure, authenticated communication without having to obtain it solely from the server during session negotiation.

    5 Tips for SMBs to Help Secure Their Online Presence
    June 17, 2013 by CA Security Council CASC Identity Malware SSL/TLS Vulnerability

    With National SMB Week upon us, the CASC has come up with its five tips for SMBs to help secure their online presence. By implementing these simple steps SMBs can build trust and loyalty by ensuring their website is safe to visit, search, enter personal information, or complete a transaction.

    1. Create unbreakable passwords – Strong passwords are essential on any account related to your online presence (domain registrar, hosting account, SSL provider, social media, PayPal, etc.). Brute-force attacks where a computer is used to rapidly guess your password are surprisingly common and effective. To prevent your business accounts from being hijacked, we recommend that you use a password generator to create strong passwords and a password safe to store them. Many services now also offer a two-factor authentication option and we recommend that you take advantage of this whenever possible.
    2. Consider an SSL certificate – In today’s world of e-commerce, consumers need to have trust in your brand and your authenticity. If you’re a small business and don’t have the brand identity that your larger competitors enjoy, verifying your identity and trustworthiness with an SSL certificate can make a major difference in your online success. Extended Validation certificates enhance the assurance provided to your customers by displaying your company name in green in their browser’s address bar. Even if your website doesn’t do e-commerce or collect private information, you should consider an SSL certificate to authenticate your business to visitors.
    3. Regularly scan your website for vulnerabilities and malware – It’s common for sites to become infected the same way that your PC can. When this happens, the website might load slowly, display unwanted advertisements, and infect your customer’s computers with more malware. Just as you should run a virus scanner on your PC, it’s a good practice to monitor your site for problems. There are many vendors that will do this automatically and alert you if they find a problem.
    4. Don’t forget updates and patches – Make sure that someone is regularly patching your website. This is especially important if your site is built using popular software like WordPress or Zen Cart. This software is constantly being updated to address security problems, but those updates must be installed on your website, just like installing the latest Windows Updates on your PC. We recommend that you check with your hosting provider or site designer to find out if they are updating your website’s software on a regular basis.
    5. Maintain control – Make sure that you have control over your domain name, SSL certificate, and website. It’s all too common for business owners to hire someone to build their website, and leave that person as the only one with access to the SSL, domain name, and hosting account. When these services come up for renewal or need to be changed, you can run into big problems if you can’t reach the person who originally built the site. We recommend you make sure that someone at your organization is also listed as a contact on these accounts so that you will still be able to maintain continuity with and otherwise manage your certificate, domain name, and hosting account.

    Some Comments on Web Security
    June 5, 2013 by CA Security Council Attack CA/Browser Forum CASC Google IETF Microsoft Mis-issued Policy SSL/TLS

    Steve Johnson of the Mercury News posted an article on Web security and highlighted some of the issues.

    The posted issues help to explain why we created the Certificate Authority Security Council. We want to determine the issues, have them addressed and provide awareness and education on the solutions. The CAs also work with the browsers and other experts in the industry to develop standards for all CAs to be audited against through the CA/Browser Forum.

    An Introduction to OCSP Multi-Stapling
    May 7, 2013 by CA Security Council CA/Browser Forum CRL IETF OCSP Revocation SSL/TLS Vulnerability

    OCSP Stapling

    OCSP is a protocol used to check the validity of certificates to make sure they have not been revoked. OCSP is an alternative to Certificate Revocation Lists (CRLs). Since OCSP responses can be as small as a few hundred bytes, OCSP is particularly useful when the issuing CA has relatively big CRLs, as well as when the client has limited memory and processing power.

    CASC Happenings at NIST
    April 10, 2013 by CA Security Council CASC NIST PKI Policy SSL/TLS TSP

    This week members of the CASC will be attending and speaking at the NIST Workshop on Improving Trust in the Online Marketplace. You can also follow the CASC on Twitter for more information and news at @CertCouncil, as well as see some of the presentations after the events on our SlideShare page. Even if you can’t make it to Maryland, you can still watch the event via the live webcast. Please join us for the following CASC member events:

    What the ICANN SSAC Report Doesn’t Tell You
    March 22, 2013 by CA Security Council CA/Browser Forum CASC ICANN SSL/TLS

    The CA Security Council, which comprises seven of the largest CAs, read with interest the article titled, “Internal-use SSL certificates pose security risk for upcoming domain extensions.” As a group in one of the best positions to understand the impact of the new gTLDs on organizational security infrastructure and the Internet as a whole, we felt it appropriate to comment on this and related stories which summarize the ICANN Security and Stability Advisory Committee (SSAC) report sac 045 Invalid Top Level Domain Queries at the Root Level of the Domain Name System.

    CASC Happenings at RSA
    February 25, 2013 by CA Security Council Attack CASC Identity PKI RSA SSL/TLS

    We are excited to have members of the CASC attending and speaking at this year’s RSA Conference. The events and panels will cover various topics that revolve around the security of the Internet and CAs as a whole. You can follow the CASC on Twitter for more information and news at @CertCouncil, as well as see some of the presentations after the events on our SlideShare page. Please join us for the following CASC member events:

    Participate in our community discussions and/or join the consortium