Getting the Most Out of SSL Part 3: Optimization
July 29, 2013 by
Rick Andrews, Ryan Hurst
MITM
Mixed Content
SSL/TLS
To get the most out of SSL/TLS, you need to do a bit more than just configure your web server with an SSL certificate. The information below will help you optimize your website’s use of SSL. Making the changes suggested below will also help move your site towards “Always On SSL” (https://otalliance.org/resources/AOSSL/index.html), a best practice in which you serve the entire contents of your website over SSL/TLS.
Changes to the content of your website
Some HTML tags can include attributes that are links or paths to other pages on your site. These paths can be absolute (explicitly referencing a protocol and domain name, like href=”http://foo.example.com/index.htm” or src=”https://foo.example.com/script.js”) or relative (like href=”/index.htm” or src=”/script.js”).
Getting the Most Out of SSL Part 2: Configuration
June 29, 2013 by
Ryan Hurst
Attack
CASC
DH
Forward Secrecy
OpenSSL
PKI
RC4
RSA
SSL/TLS
TLS 1.0
TLS 1.2
Vulnerability
They say the most complicated skill is to be simple; despite SSL and HTTPS having been around for a long time, they still are not as simple as they could be.
One of the reasons for this is that the security industry is constantly learning more about how to design and build secure systems; as a result, the protocols and software used to secure online services need to continuously evolve to keep up with the latest risks.
5 Tips for SMBs to Help Secure Their Online Presence
June 17, 2013 by
CA Security Council
CASC
Identity
Malware
SSL/TLS
Vulnerability
With National SMB Week upon us, the CASC has come up with its five tips for SMBs to help secure their online presence. By implementing these simple steps SMBs can build trust and loyalty by ensuring their website is safe to visit, search, enter personal information, or complete a transaction.
- Create unbreakable passwords – Strong passwords are essential on any account related to your online presence (domain registrar, hosting account, SSL provider, social media, PayPal, etc.). Brute-force attacks where a computer is used to rapidly guess your password are surprisingly common and effective. To prevent your business accounts from being hijacked, we recommend that you use a password generator to create strong passwords and a password safe to store them. Many services now also offer a two-factor authentication option and we recommend that you take advantage of this whenever possible.
- Consider an SSL certificate – In today’s world of e-commerce, consumers need to have trust in your brand and your authenticity. If you’re a small business and don’t have the brand identity that your larger competitors enjoy, verifying your identity and trustworthiness with an SSL certificate can make a major difference in your online success. Extended Validation certificates enhance the assurance provided to your customers by displaying your company name in green in their browser’s address bar. Even if your website doesn’t do e-commerce or collect private information, you should consider an SSL certificate to authenticate your business to visitors.
- Regularly scan your website for vulnerabilities and malware – It’s common for sites to become infected the same way that your PC can. When this happens, the website might load slowly, display unwanted advertisements, and infect your customer’s computers with more malware. Just as you should run a virus scanner on your PC, it’s a good practice to monitor your site for problems. There are many vendors that will do this automatically and alert you if they find a problem.
- Don’t forget updates and patches – Make sure that someone is regularly patching your website. This is especially important if your site is built using popular software like WordPress or Zen Cart. This software is constantly being updated to address security problems, but those updates must be installed on your website, just like installing the latest Windows Updates on your PC. We recommend that you check with your hosting provider or site designer to find out if they are updating your website’s software on a regular basis.
- Maintain control – Make sure that you have control over your domain name, SSL certificate, and website. It’s all too common for business owners to hire someone to build their website, and leave that person as the only one with access to the SSL, domain name, and hosting account. When these services come up for renewal or need to be changed, you can run into big problems if you can’t reach the person who originally built the site. We recommend you make sure that someone at your organization is also listed as a contact on these accounts so that you will still be able to maintain continuity with and otherwise manage your certificate, domain name, and hosting account.
Some Comments on Web Security
June 5, 2013 by
CA Security Council
Attack
CA/Browser Forum
CASC
Google
IETF
Microsoft
Mis-issued
Policy
SSL/TLS
Steve Johnson of the Mercury News posted an article on Web security and highlighted some of the issues.
The posted issues help to explain why we created the Certificate Authority Security Council. We want to determine the issues, have them addressed and provide awareness and education on the solutions. The CAs also work with the browsers and other experts in the industry to develop standards for all CAs to be audited against through the CA/Browser Forum.
Getting the Most Out of SSL Part 1: Choose the Right Certificate
May 25, 2013 by
Wayne Thayer
CSR
ECC
Microsoft
RSA
SHA2
SSL/TLS
SSL and HTTPS are two of the most common security technologies on the internet today, but at the same time their use can be complex and challenging to get right. Over the next few weeks, we’ll be publishing a series of articles aimed at identifying some of the decisions that need to be made when buying, installing, and using SSL certificates. In this first installment, I’ll discuss some of the issues to consider when buying and requesting a certificate.
CAs Support Standards and Regulations
May 10, 2013 by
Bruce Morton
(Entrust)
CA/Browser Forum
CASC
CICA
ETSI
EV
SSL/TLS
WebTrust
There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.
To provide some history, SSL CAs have always self-policed themselves by having external audits performed. In the ‘90s, the CAs wrote certificate policies and certification practice statements requiring annual compliance audits. Since there were no CA audit criteria, the CAs contracted for SAS 70 audits.
An Introduction to OCSP Multi-Stapling
May 7, 2013 by
CA Security Council
CA/Browser Forum
CRL
IETF
OCSP
Revocation
SSL/TLS
Vulnerability
OCSP Stapling
OCSP is a protocol used to check the validity of certificates to make sure they have not been revoked. OCSP is an alternative to Certificate Revocation Lists (CRLs). Since OCSP responses can be as small as a few hundred bytes, OCSP is particularly useful when the issuing CA has relatively big CRLs, as well as when the client has limited memory and processing power.
Recap of NIST’s Workshop on Improving Trust in the Online Marketplace
April 17, 2013 by
Rick Andrews
CA/Browser Forum
CASC
NIST
Revocation
SSL/TLS
On April 10 and 11, NIST held a workshop in Maryland to bring together many parties (industry, research and academia communities, and government sectors) to examine “technical and administrative efforts to increase trust online by improving the Public Key Infrastructure certificate marketplace supporting SSL and TLS.”
From the opening keynote to the final remarks, we heard from experts around the world. There were presentations on the current state of trust infrastructure and audits, the impact of recent breaches, detailed looks on some emerging solutions like Certificate Transparency and DANE, and new ideas to manage and minimize risk in key usage.
CASC Happenings at NIST
April 10, 2013 by
CA Security Council
CASC
NIST
PKI
Policy
SSL/TLS
TSP
This week members of the CASC will be attending and speaking at the NIST Workshop on Improving Trust in the Online Marketplace. You can also follow the CASC on Twitter for more information and news at @CertCouncil, as well as see some of the presentations after the events on our SlideShare page. Even if you can’t make it to Maryland, you can still watch the event via the live webcast. Please join us for the following CASC member events:
Self-Signed Certificates Don’t Deliver Trust
April 2, 2013 by
Bruce Morton
(Entrust)
CRL
DV
EV
NIST
OCSP
Policy
SSL/TLS
We’ve heard the argument that website operators could just use self-signed certificates. They are easy to issue and they are “free.” Before issuing self-signed certificates, it’s a good idea to examine the trust and security model. You should also compare self-signed certificates to the publicly trusted certification authority (CA) model; and then make your own decision.
Self-Signed Certificate Model
- Owner says who they are
- Owner issues on their own policy
- Owner is responsible for quality
- Owner may not follow industry guidelines
- Owner may not provide certificate status
- Compromised certificates may not be able to be revoked
- Owner is not audited
- Issuer of certificate may not be authorized by the domain owner
- Certificates may not be renewed if there are no reminders
- Self-signed certificate model does not provide trust and the browser provides a trust dialogue box to indicate such
Publicly-Trusted CA-Signed Certificate Model
- CA verifies the owner of the domain and the certificate applicant
- CA operates to a policy in conformance with the requirements of the browser and operating system vendors. The requirements include the CA/Browser Forum Baseline Requirements, Extended validation (EV) Guidelines and recommendations from NIST.
- CA provides quality to the certificate. Checks include compromised keys, minimum key size, ensuring hashing algorithms, maximum validity period and proper certificate extensions.
- CA updates policy based on industry best practices
- CA provides certificate status through CRL and OCSP
- Compromised certificates can be revoked
- CA is audited to certificate issuing criteria such as WebTrust for CA, WebTrust for EV and SSL Baseline Requirements
- Certificate requesters for a Domain validated certificate are authorized by the owner of the domain. Requesters for Organization and Extended Validation certificates are authorized by a member of the organization specified in the certificate.
- CAs provide multiple reminders to ensure the certificates are renewed before they expire. CAs may also provide certificate discovery tools to find certificates on your systems which may not have reminders.
- Publicly trusted CA model is based on the CA being a trusted third party to the browser/OS vendor, the website certificate subscriber and the end-users of the website. The CA is obligated to meet the requirements of all three parties.
So, when should you use a self-signed certificate?
When trust, security, service, quality and reliability are not your criteria.