Why Is Certificate Expiration Necessary?
October 19, 2016 by Bruce Morton (Entrust) Attack CA/Browser Forum EV Hash Function Identity OCSP Policy RSA SSL/TLS Vulnerability
The Long Life Certificate – Why It Doesn’t Exist Why is certificate expiration even necessary? Wouldn’t it be better if I could just buy a certificate with a long life before expiration? It would really simplify certificate management if it could be installed and forgotten. Simple, no management required, just file-and-forget. Imagine, I’ve been in business, starting say 10 to 15 years ago. I roll out my web pages and secure them with a 20-year-validity SSL certificate.
September 30, 2016 by Rick Andrews, Ben Wilson Encryption Firefox Google Identity Microsoft Mixed Content OpenSSL Policy Qualified SSL/TLS
There is no doubt that content owners and publishers have a duty to encourage trust and the confidence during internet usage by adopting security best practices. If a customer believes that their data and identity are safe and protected, they are more inclined to continue their online transactions. Industry best practices for website protection should be vendor-neutral, easy to implement, and globally accessible. Websites should take all the reasonable steps possible to adopt best practices in secure design and implementation, and this includes using Always-On SSL across the entire website.
Chrome to Show HTTP Sites as Not Secure
September 15, 2016 by Bruce Morton (Entrust) Chrome Google HSTS SSL/TLS Vulnerability
Always-On SSL should be deployed to prevent the “Not secure” warning Website owners who do not secure their website with an SSL/TLS certificate will have to rethink their online strategy. In a push to make the Internet safer for all users, Google will soon be issuing a stronger warning to visitors who navigate to a website that does not have the protection of an SSL/TLS certificate. With the release of Chrome 53 on Windows, Google has changed the trust indications to introduce the circle-i.
How a SWEET32 Birthday Attack is Deployed and How to Prevent It
September 7, 2016 by Bruce Morton (Entrust) 3DES Attack Encryption RC4 SSH SSL/TLS TLS 1.0
Details surrounding the SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN can be found in the paper released by Karthikeyan Bhargavan and Gaëtan Leurent from INRIA in France. The paper shows that cipher suites using 64-bit block length ciphers are vulnerable to plaintext recovery attacks. As such, Triple-DES (3DES) and Blowfish are vulnerable. Here’s an overview. Vulnerabilities to a SWEET32 Birthday Attack Certain scenarios are pre-disposed to a SWEET32 Birthday attack.
Trust Indication Change in Google Chrome
August 24, 2016 by Bruce Morton (Entrust) Chrome EV Google ISO SSL/TLS
Google is making security icon changes in the Chrome status bar. The changes are based on a research paper prepared by members of Google and University of California, Berkeley. The research evaluated forty icons, seven complementary strings and surveyed 1,329 people. The goal is to make it easier for browser users to determine how secure their connection to a site is and indicate if the site is dangerous or deceptive. In addition, the icons are to indicate to people that HTTP is less secure than HTTPS.
Minimum Requirements for Code Signing Certificates
July 20, 2016 by Bruce Morton (Entrust) CA/Browser Forum CASC Code Signing FIPS HSM Malware Microsoft Revocation TSA
It is time for an update on the Baseline Requirements for Code Signing. First the bad news, the new standard was not approved by the CA/Browser Forum due to philosophical differences among some forum members who felt code signing was not in scope with the Forum’s charter. The good news is the document was created in a multi-stakeholder environment and substantially improves the current management processes. As such, it was decided to bring the document outside of the forum and finalize it as part of the CA Security Council.
TLS Certificates on the Web – The Good, The Bad and The Ugly
May 17, 2016 by Rick Andrews CA/Browser Forum Code Signing ECC Encryption EV Hash Function PKI Policy RSA SSL/TLS
It might be hard to believe, but the SSL/TLS Ecosystem is nearly 20 years old. It’s time to take stock and see how we’re doing with regards to TLS certificates. In this article, we’ll primarily discuss certificates themselves and not web server configuration, although that is often a source of problems. In the last few years, we’ve endured three major certificate-based migrations: Away from the MD2 and MD5 hash algorithms to SHA-1 Away from small RSA keys to 2048-bit keys or larger Away from the SHA-1 hash algorithm to SHA-256 What’s driving these migrations?
What Kind of SSL/TLS Certificate do You Need?
May 12, 2016 by Ben Wilson DV EV SSL/TLS
In previous blog posts we have discussed the differences among the various types of SSL/TLS certificates available. In this blog post we introduce you to a new infographic that has a decision tree to help you select the right kind of certificate for your needs. In most cases you will need a publicly trusted certificate, but the decision tree notes that one type of certificate is the private trust certificate, which can be obtained and used in situations where a publicly trusted certificate cannot be used.
SSL 2.0 and DROWN
April 4, 2016 by Bruce Morton (Entrust) Attack IETF OpenSSL SSL 3.0 SSL/TLS Vulnerability
A team of researchers has announced a vulnerability with SSL 2.0 called Decrypting RSA with Obsolete and Weakened eNcryption; otherwise known as DROWN. SSL 2.0 is a version of the SSL/TLS security protocols. It was released in February 1995, but due to security flaws was superseded by SSL 3.0 in 1996. DROWN is a cross-protocol attack where the bugs in SSL 2.0 can be used to attack the security of connections that use TLS.
Stay Safe This Tax Season by Looking for SSL/TLS Certificates
March 30, 2016 by Ben Wilson Encryption EV Identity SSL/TLS
It’s tax filing season again, and you need to be aware of scams that tried to steal your sensitive information or even your tax refund. During 2015 the IRS blocked over 4.3 million suspicious returns and more than 1.4 million confirmed identity theft returns. https://www.irs.gov/uac/Newsroom/IRS,-States-and-Tax-Industry-Combat-Identity-Theft-and-Refund-Fraud-on-Many-Fronts. Phishing emails, account compromise, identity theft, and fake websites are a few approaches used by cyber criminals this time of year. Good computer security hygiene will usually protect you from someone else filing a tax return in your name.