PKI Consortium blog
Posts by tag Attack
Some Comments on Web Security
June 5, 2013 by
CA Security Council
Attack
CA/Browser Forum
CASC
Google
IETF
Microsoft
Mis-issued
Policy
SSL/TLS
Steve Johnson of the Mercury News posted an article on Web security and highlighted some of the issues.
The posted issues help to explain why we created the Certificate Authority Security Council. We want to determine the issues, have them addressed and provide awareness and education on the solutions. The CAs also work with the browsers and other experts in the industry to develop standards for all CAs to be audited against through the CA/Browser Forum.
All You Need to Know About the RC4 Encryption Scheme
March 14, 2013 by
Rick Andrews
Attack
CASC
Encryption
RC4
RSA
SSL/TLS
Vulnerability
The latest published attacks target specific algorithms used within SSL/TLS. Those algorithms are used when a client connects to a server via SSL/TLS; they’re not used when a Certificate Authority signs a certificate. The attacks demonstrate potential weaknesses in the use of the algorithms.
While interesting, the attacks don’t represent an immediate practical threat to users of SSL/TLS (including online banking, e-commerce, social networking, etc.). Such attacks require an attacker to run malicious software on a user’s computer which would connect to a particular web site and send the same message over and over again many times. In fact, if the attacker’s software could send the same message over and over 10 times per second, it would still take more than 3 years for the attack to succeed.
The Importance of Revocation Checking Part 2: A Real World Example
March 11, 2013 by
Wayne Thayer
Attack
Code Signing
CRL
Encryption
Identity
Malware
OCSP
Revocation
SSL/TLS
Just last week, a new security incident related to certificate revocation checking made headlines. It was discovered that a legitimate website was hosting a malicious Java application that installed malware on the computers of people who visited the site. This comes after recent updates that introduced Security Level settings in Java, and then raised the default from Medium to High. At the high level, users are shown a warning before any unsigned Java code is executed. Unfortunately, this recent incident exposed a method that allows an attacker to bypass the warning.
The Importance of Checking for Certificate Revocation
March 9, 2013 by
Rick Andrews
Attack
CRL
Identity
Malware
MITM
OCSP
Revocation
SSL/TLS
Certificates are typically valid for one to three years, and during that time it’s possible that the web site owner or the CA realizes that end users should not trust the certificate. There are several cases in which this might happen, including these:
- The web site owner ceases doing business, no longer owns the domain name used in the certificate, has changed their organization name, or wishes to shut down the web server.
- The subscriber learns that an unauthorized party has gained access to the private key associated with the public key in the certificate.
- The CA learns that errors were made in authentication, the subscriber misrepresented some material info used in the authentication process, or the subscriber has violated the terms of its agreement with the CA.
When the subscriber or CA makes the decision to revoke a certificate, that decision must be conveyed to end users who encounter the certificate in use. There are two different methods for this:
CASC Happenings at RSA
February 25, 2013 by
CA Security Council
Attack
CASC
Identity
PKI
RSA
SSL/TLS
We are excited to have members of the CASC attending and speaking at this year’s RSA Conference. The events and panels will cover various topics that revolve around the security of the Internet and CAs as a whole. You can follow the CASC on Twitter for more information and news at @CertCouncil, as well as see some of the presentations after the events on our SlideShare page. Please join us for the following CASC member events:
Certificate Revocation and OCSP Stapling
February 14, 2013 by
CA Security Council
Attack
CASC
CRL
IETF
OCSP
Revocation
SSL/TLS
Revocation
As a body of global CAs, the CA Security Council is committed to educating server administrators, end-users and other interested parties about SSL enhancements and best practices that can better protect everyone. An important initiative that can make a practical difference right now is addressing easily implemented improvements to certificate status services that handle revocation of invalid or expired certificates, specifically the implementation of OCSP stapling.