The Web Is Moving From HTTP to HTTPS
November 21, 2016 by
Dean Coclin
Chrome
Encryption
Google
SSL/TLS
The four letters, “http”, are known to technical and non-technical users alike as the beginning of any web address. These have been ubiquitous for many years. But things are about to change. Pretty soon, you won’t be able to go to many popular websites just by using those 4 letters. You will need to add an “s” at the end (https). Why is this happening? What are the reasons for this change?
Trust on the Public Web – The Consequences of Covert Action
November 11, 2016 by
Dean Coclin
Apple
Chrome
Firefox
Mis-issued
Mozilla
SSL/TLS
You may have heard in the news that the Chinese Certificate Authority, WoSign, was caught backdating SHA-1 certificates to make it look like they were issued before the December 31, 2015 deadline. Why is this newsworthy? For web-based security to remain an integral part of an ecosystem used every day by millions of people around the world, it all comes down to Trust; trust in the organization issuing the certificates, trust in the browsers that validate and display certificate information to the user, and trust by relying parties browsing web pages secured by certificates. Without trust, worldwide commerce and security on the web are at risk.
Google Certificate Transparency (CT) to Expand to All Certificates Types
November 8, 2016 by
Jeremy Rowley
Announcement
CA/Browser Forum
Chrome
DV
EV
Google
IETF
OV
Policy
SSL/TLS
The policy change goes into effect October 2017
A recent Google announcement stated that all publicly trusted SSL/TLS certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency (CT) policy or be untrusted by the browser.
HTTP/2 Update
October 26, 2016 by
Wayne Thayer
Google
SSL/TLS
I wrote about the next version of the HTTP protocol 18 months ago. Since then, HTTP/2 has gained significant traction, but not without generating some controversy along the way.
Performance
Perhaps the biggest question lingering over HTTP/2 relates to real-world performance benefits. A demonstration comparing the time it takes to load a website over HTTP/1.1 without SSL/TLS versus HTTP/2 (which only works in browsers over HTTPS) has been criticized for being unrealistic. It loads 360 unique images, a scenario that highlights the strengths of HTTP/2’s new design. The criticism comes from the fact that the average web page only loads around 100 objects (images, style sheets, etc.), and is often optimized for HTTP/1.1 using techniques that reduce the effectiveness of the HTTP/2 mechanisms.
Why Is Certificate Expiration Necessary?
October 19, 2016 by
Bruce Morton
(Entrust)
Attack
CA/Browser Forum
EV
Hash Function
Identity
OCSP
Policy
RSA
SSL/TLS
Vulnerability
The Long Life Certificate – Why It Doesn’t Exist
Why is certificate expiration even necessary? Wouldn’t it be better if I could just buy a certificate with a long life before expiration? It would really simplify certificate management if it could be installed and forgotten. Simple, no management required, just file-and-forget.
Always-On SSL
September 30, 2016 by
Rick Andrews, Ben Wilson
Encryption
Firefox
Google
Identity
Microsoft
Mixed Content
OpenSSL
Policy
Qualified
SSL/TLS
There is no doubt that content owners and publishers have a duty to encourage trust and the confidence during internet usage by adopting security best practices. If a customer believes that their data and identity are safe and protected, they are more inclined to continue their online transactions. Industry best practices for website protection should be vendor-neutral, easy to implement, and globally accessible. Websites should take all the reasonable steps possible to adopt best practices in secure design and implementation, and this includes using Always-On SSL across the entire website.
Chrome to Show HTTP Sites as Not Secure
September 15, 2016 by
Bruce Morton
(Entrust)
Chrome
Google
HSTS
SSL/TLS
Vulnerability
Always-On SSL should be deployed to prevent the “Not secure” warning
Website owners who do not secure their website with an SSL/TLS certificate will have to rethink their online strategy. In a push to make the Internet safer for all users, Google will soon be issuing a stronger warning to visitors who navigate to a website that does not have the protection of an SSL/TLS certificate.
How a SWEET32 Birthday Attack is Deployed and How to Prevent It
September 7, 2016 by
Bruce Morton
(Entrust)
3DES
Attack
Encryption
RC4
SSH
SSL/TLS
TLS 1.0
Details surrounding the SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN can be found in the paper released by Karthikeyan Bhargavan and Gaëtan Leurent from INRIA in France. The paper shows that cipher suites using 64-bit block length ciphers are vulnerable to plaintext recovery attacks. As such, Triple-DES (3DES) and Blowfish are vulnerable. Here’s an overview.
Vulnerabilities to a SWEET32 Birthday Attack
Certain scenarios are pre-disposed to a SWEET32 Birthday attack. For HTTPS, most susceptible are websites that support the 3DES algorithm and sustain long lived connections.
Trust Indication Change in Google Chrome
August 24, 2016 by
Bruce Morton
(Entrust)
Chrome
EV
Google
ISO
SSL/TLS
Google is making security icon changes in the Chrome status bar. The changes are based on a research paper prepared by members of Google and University of California, Berkeley. The research evaluated forty icons, seven complementary strings and surveyed 1,329 people.
The goal is to make it easier for browser users to determine how secure their connection to a site is and indicate if the site is dangerous or deceptive. In addition, the icons are to indicate to people that HTTP is less secure than HTTPS. Below are representations of the old icons and the selected new icons which are to be used in Chrome.
Minimum Requirements for Code Signing Certificates
July 20, 2016 by
Bruce Morton
(Entrust)
CA/Browser Forum
CASC
Code Signing
FIPS
HSM
Malware
Microsoft
Revocation
TSA
It is time for an update on the Baseline Requirements for Code Signing.
First the bad news, the new standard was not approved by the CA/Browser Forum due to philosophical differences among some forum members who felt code signing was not in scope with the Forum’s charter.
The good news is the document was created in a multi-stakeholder environment and substantially improves the current management processes. As such, it was decided to bring the document outside of the forum and finalize it as part of the CA Security Council. The CASC members and others will continue to enhance and manage the document. Microsoft also supports the document and has added the requirement to use the new standard for code signing certificates by February 1, 2017.