Extended Validation Builds Trust (Infographic)
April 15, 2015 by
CA Security Council
SSL/TLS
Click on the image above to download a full-size version.
CA Security Council Report: Consumers Don’t Know Much About Security, But They Trust the Padlock and Green Bar When Shopping Online
April 13, 2015 by
CA Security Council
CASC
EV
Google
Identity
SSL/TLS
San Francisco – April 13, 2015 – The CA Security Council (CASC), an advocacy group committed to the advancement of the security of websites and online transactions, today released its 2015 Consumer Trust Survey which found that validation matters. While consumers are confused about some aspects of security, they recognize and trust the security that SSL brings to e-commerce sites. Fifty-three percent of respondents identify the padlock as adding confidence in an e-commerce site, with 42 percent associating the green bar and organization name in the URL with greater safety.
Microsoft Deploys Certificate Reputation
April 9, 2015 by
Bruce Morton
(Entrust)
EV
Google
Identity
Microsoft
Mis-issued
SSL/TLS
As we have stated previously, website owners have a concern that an attacker can have a certificate issued for their domain name. We now have two systems which will help monitor certificates for domains: Certificate Transparency (CT) and Certificate Reputation.
At the start of 2015, most certification authorities (CAs) support CT as requested by Google. CT works for extended validation (EV) SSL certificates and will allow all EV certificates to be monitored.
In March 2015, Microsoft deployed Certificate Reputation. Through the use of Windows, Internet Explorer and other applications, certificate data for all types of SSL certificates is collected and provided to Microsoft. In addition, Microsoft has stated that they don’t collect any information that could be used to identify the user.
Fighting the Good Fight for Online Trust
April 2, 2015 by
CA Security Council
Apple
CAA
CASC
Google
HSM
Mis-issued
MITM
Mozilla
Policy
Root Program
SSL/TLS
WebTrust
Once again Browsers and Certificate Authorities are in the news over the reported mis-issuance of an SSL server certificate to a google.com domain. Discovered by Google most likely via technology known as key pinning and discussed by Google’s Adam Langley in this blog, a Chinese certificate authority, CNNIC (Chinese Internet Network Information Center), apparently issued an intermediate certificate to an Egyptian company called MCS Holdings. Because the CNNIC root certificate is included in the root store of most major browsers, users would not see any warnings on sites that have certificates issued by CNNIC or MCS Holdings. When MCS installed their intermediate into a Man in the Middle (MITM) proxy device, that device could then issue certificates for sites which users connected to that proxy would visit. (MITM is described in more detail in our previous blog here: https://casecurity.org/2015/01/08/gogo-found-spoofing-google-ssl-certificates/)
My Website’s SSL Certificate is Fine; Why Do Browsers Downgrade the Security Indicators For My Site?
April 1, 2015 by
Rick Andrews
Attack
Chrome
Encryption
EV
IETF
RC4
SSL/TLS
All the major browsers provide “security user interface”, meaning visual elements to inform the user of the security of their connection to the web page they’re visiting. Up until now, those interface elements were tied to the use of SSL/TLS certificates served by the web site. For example, if you went to http://www.example.com, no special elements would be displayed, but if you visited https://www.example.com, you would see a lock icon indicating the presence of a trusted SSL/TLS certificate. You would also see in the address bar the name of the company responsible for the web site, if the web site used an EV certificate. Most browsers change user interface indicators for mixed content (when a secure page loaded scripts, images or other content from a non-secure site).
Is Your SSL Server Vulnerable to a FREAK Attack?
March 11, 2015 by
Bruce Morton
(Entrust)
Android
Attack
Encryption
Forward Secrecy
Microsoft
MITM
RSA
SSL/TLS
Vulnerability
FREAK is a new man-in-the-middle (MITM) vulnerability discovered by a group of cryptographers at INRIA, Microsoft Research and IMDEA. FREAK stands for “Factoring RSA-EXPORT Keys.”
The vulnerability dates back to the 1990s, when the US government banned selling crypto software overseas, unless it used export cipher suites which involved encryption keys no longer than 512-bits.
The issue is there are still some clients who let crypto be degraded from “strong RSA” to “export grade RSA”. These clients use OpenSSL, Apple’s Secure Transport and Windows Secure Channel. As such, users of Android mobiles, Apple Macs, iPhones and iPads, and Windows platforms will be impacted.
Lenovo Enables Man-in-the-Middle Attacks Via Superfish Adware
February 20, 2015 by
Doug Beattie
(GlobalSign)
Attack
Code Signing
Firefox
Malware
Microsoft
MITM
Mixed Content
SSL/TLS
Vulnerability
Lenovo is selling computers that contain the Superfish application which “supplements” the user’s SSL sessions to enable their adware application to deliver content transparently; however, due to poor security design this leaves users vulnerable to man-in-the-middle attacks.
How it was supposed to work
Superfish uses the program “Visual Discovery” to process images in browser content and then displays ads for similar goods and services. This sounds like any other adware application, but in order to maintain SSL sessions and not alert users with security warnings, Superfish is serving up these images over https. They were able to do this by creating SSL certificates on the fly that imitate the certificates on the “real” websites they have intercepted and using them in a local SSL proxy to deliver content from the Visual Discovery server over the same apparent domain, without clearly revealing what they have done. This is a classic “man in the middle” or MITM process.
SSL Certificate Validity Periods Limited to 39 Months Starting in April
February 19, 2015 by
Jeremy Rowley
CA/Browser Forum
ETSI
Policy
SSL/TLS
Vulnerability
WebTrust
In accordance with the CA/Browser Forum Baseline Requirements, effective April 1, 2015, Certificate Authorities (CAs) will no longer be able to issue SSL Certificates with a validity period longer than 39 months.
Shortening the validity period to 39 months is the result of much consideration within the CA/Browser Forum to arrive at a duration that allows optimal usability while maintaining the tightest network security. A shortened validity period will significantly improve Internet security by requiring administrators to renew and verify their certificates more often. It will also make it easier for users to keep up-to-date on new advances in security and remain aware of their control over private keys.
Gogo Found Spoofing Google SSL Certificates
January 8, 2015 by
Rick Andrews
Google
Malware
MITM
SSL/TLS
It was recently disclosed that Gogo, a provider of Wi-Fi Internet services on commercial aircraft, has been issuing spoofed SSL certificates for Google sites that were viewed by customers of Gogo’s service. It appears that Gogo Inflight Internet was acting as an SSL Man-in-the-middle (MITM), a technique used within some enterprises to allow themselves to inspect and control all web traffic, even traffic to secure web sites. To understand what this means, let me explain MITM in a bit more detail.
2015 – Looking Back, Moving Forward
January 6, 2015 by
Bruce Morton
(Entrust)
Apple
Attack
CA/Browser Forum
CAA
Chrome
Code Signing
EV
Firefox
Forward Secrecy
Google
IETF
Malware
Microsoft
MITM
Mozilla
OpenSSL
PKI
Policy
RSA
SHA1
SSL 3.0
SSL/TLS
TLS 1.0
TLS 1.2
TLS 1.3
Vulnerability
Looking Back at 2014
End of 1024-Bit Security
In 2014, the SSL industry moved to issuing a minimum security of 2048-bit RSA certificates. Keys smaller than 2048 are no longer allowed in server certificates. In addition, Microsoft and Mozilla started to remove 1024-bit roots from their certificate stores. Hopefully, the key size change will support users through to 2030.
