Logo

PKI Consortium blog

Posts by author Wayne Thayer

    HTTP/2 Update
    October 26, 2016 by Wayne Thayer Google SSL/TLS

    I wrote about the next version of the HTTP protocol 18 months ago. Since then, HTTP/2 has gained significant traction, but not without generating some controversy along the way.

    Performance

    Perhaps the biggest question lingering over HTTP/2 relates to real-world performance benefits. A demonstration comparing the time it takes to load a website over HTTP/1.1 without SSL/TLS versus HTTP/2 (which only works in browsers over HTTPS) has been criticized for being unrealistic. It loads 360 unique images, a scenario that highlights the strengths of HTTP/2’s new design. The criticism comes from the fact that the average web page only loads around 100 objects (images, style sheets, etc.), and is often optimized for HTTP/1.1 using techniques that reduce the effectiveness of the HTTP/2 mechanisms.

    HTTP/2 Is Speedy and Secure
    April 20, 2015 by Wayne Thayer Announcement Chrome Firefox Forward Secrecy Google HSTS IETF Microsoft Mozilla SSL/TLS Vulnerability

    Since we last wrote about SSL/TLS performance, there has been a lot of activity in the IETF HTTP Working Group, resulting in the February announcement that the next version of HTTP has been approved. This is big news because it means that major SSL/TLS performance improvements are on the way.

    Background

    When your browser connects to a website today, it most likely uses the HTTP/1.1 protocol that was defined in 1999 in RFC 2616. Over the past 15 years, HTTP/1.1 has served us well and many tweaks have been discovered to make the most of it. However, in that time the web has transformed into a platform for interactive content and applications. Today, browsers load much more data from many more sources to build the typical web page.

    Extra Trips are for Frequent Flyers, Not SSL/TLS Performance
    October 30, 2014 by Wayne Thayer Firefox Forward Secrecy Google HSTS OCSP Revocation RSA SSL/TLS

    TLS is quickly becoming a de facto requirement for every website due to increased concerns about spying and Google’s recent move to use HTTPS as a factor in search engine ranking. In a recent article we explained how HSTS helps website operators to ensure that their site is always using TLS, but now we want to ensure that your performance isn’t sacrificed in the name of enhanced security. While the myth that TLS slows down a website has been debunked, some basic settings can make a site using TLS even faster.

    What To Do When You Rely on Internal Names in TLS/SSL Certificates
    July 18, 2014 by Wayne Thayer Attack CA/Browser Forum Firefox IANA ICANN Microsoft MITM Qualified SSL/TLS

    A deadline set by the CA/Browser Forum for the use of Internal Names is quickly approaching, and many system administrators need to understand how best to adapt to this change. At the same time, hundreds of new top-level domains are being launched, which redefines what constitutes an Internal Name. In this post we’ll explain what the changes are, why they’re being made, and how you can update your systems in response to the problem.

    Benefits of Elliptic Curve Cryptography
    June 10, 2014 by Wayne Thayer CA/Browser Forum ECC ECDH ECDSA Encryption RSA SSL/TLS

    Elliptic Curve Cryptography (ECC) has existed since the mid-1980s, but it is still looked on as the newcomer in the world of SSL, and has only begun to gain adoption in the past few years. ECC is a fundamentally different mathematical approach to encryption than the venerable RSA algorithm. An elliptic curve is an algebraic function (y2 = x3 + ax + b) which looks like a symmetrical curve parallel to the x axis when plotted. (See figures below.) As with other forms of public key cryptography, ECC is based on a one-way property in which it is easy to perform a calculation but infeasible to reverse or invert the results of the calculation to find the original numbers. ECC uses different mathematical operations than RSA to achieve this property. The easiest way to explain this math is — for an elliptic curve, a line will only pass through three points along the curve (P, Q, and R), and that by knowing two of the points (P and Q), the other (R) can be calculated easily, but with just R, the other two, P and Q, cannot be derived.

    When to Choose an Extended Validation Certificate
    March 25, 2014 by Wayne Thayer CA/Browser Forum EV SSL/TLS

    In our last post, we made a case for using Organizationally Validated (OV) or Extended Validation (EV) certificates for e-commerce, but we didn’t go into detail about the differences between OV and EV. EV certificates provide the highest level of assurance about your business, and they visually indicate this to your site’s visitors.

    The telltale sign that a business has obtained an EV certificate for their website is commonly referred to as the “green bar” displayed in the browser. The exact form of the indicator varies in different desktop and mobile browsers, but is generally a green background, green font color, or green lock icon in the browser’s address bar. The name of the business entity identified by the certificate is often displayed within the green area. These indicators are meant to convey a high level of assurance to a site’s visitors about the reliability of the information in the certificate.

    Pros and Cons of Single-Domain, Multi-Domain, and Wildcard Certificates
    February 26, 2014 by Wayne Thayer Microsoft SSL/TLS

    We have previously written about the different types of SSL certificates, but in that article we focused on validation levels. A recent post on LinkedIn highlighted the fact that there is another dimension that we haven’t yet explored.

    SSL certificates come in three basic packages: “single-domain” certificates that can only be used on one specific website, “multi-domain” certificates that can be used on more than one website, and “wildcard” certificates that can be used on any website within a specific domain name. Multi-domain certificates are often called “unified communications” or “UC” certificates. This is a reference to one common use of these certificates, which is to secure Microsoft messaging products such as Exchange and Lync. The table below shows examples of the number and types of websites that each of these packages can protect:

    Ten Steps to Take If Your Website Is Compromised
    February 12, 2014 by Wayne Thayer CSR Encryption Google Malware SSH SSL/TLS Vulnerability

    After the news broke that 40 million credit card numbers were stolen from Target in a data breach of epic proportions, many of their customers went to work checking their accounts for fraudulent purchases and replacing cards we’d used recently at Target. These have become standard responses to news of this sort. In much the same way, there are some common actions that you should be aware of if your website becomes compromised.

    It’s Time for TLS 1.2
    September 19, 2013 by Wayne Thayer Attack BEAST Chrome Firefox OCSP RC4 SHA2 SSL 3.0 SSL/TLS TLS 1.0 TLS 1.1 TLS 1.2 Vulnerability

    In a previous post titled Getting the Most Out of SSL Part 2, we touched on the recommendation that Web servers be configured to prefer Transport Layer Security (TLS) version 1.2. With the planned release of Firefox 24 and recent release of Chrome 29 adding support for TLS 1.2, now is a great time for website administrators to make the switch.

    Transport Layer Security was formerly called Secure Sockets Layer (SSL) and is the protocol that enables secure “https://” connections to websites. TLS 1.2 was defined 5 years ago in RFC 5246, and TLS 1.1 dates all the way back to RFC 4346 in 2006. Both of these versions are updates to the original standard that fix bugs and problems including vulnerability to cipher block chaining (CBC) such as the BEAST attack that made news in 2011. The authors also added newer cipher suites including a replacement for RC4, a popular cipher that has been shown to be susceptible to attack. In short, enabling TLS 1.2 is like a Windows software update – it fixes potential problems and makes your website more secure.

    Firefox 23 Blocks Mixed Content
    August 13, 2013 by Wayne Thayer Chrome Encryption EV Firefox Google Malware Mixed Content Mozilla SSL/TLS

    The latest version of the Firefox Web browser from Mozilla was released on August 6th with a great new security feature called a “mixed content blocker”. In a nutshell, this feature ensures that all of the parts of a secure Website are indeed encrypted via SSL certificates. All of the data on the website is prevented from being intercepted, and it becomes more difficult to add malware into the site’s content.

    Participate in our community discussions and/or join the consortium