Logo

PKI Consortium blog

Posts by tag CASC

    CA Security Council Members Presentation at RSA 2014 Conference: New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet
    March 17, 2014 by Kirk Hall (Entrust) Attack CAA CASC Chrome EV Google IETF Microsoft Mis-issued OCSP Revocation RSA SSL/TLS Vulnerability

    CA Security Council (CASC) members Trend Micro, Go Daddy, and Symantec participated in a discussion panel at the 2014 RSA Conference in San Francisco on February 24 entitled “New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet.” Panel members included Kirk Hall of Trend Micro (Moderator), Wayne Thayer of GoDaddy (Panelist), and Rick Andrews of Symantec (Panelist).

    Introduction to the Topic

    Hall began by introducing the topic – all three alternative technologies (Certificate Transparency or CT, Certificate Authority Authorization or CAA, and Certificate Pinning) are intended to make the internet safer by dealing with mis-issued digital certificates, including so-called “rogue” certs like those obtained by a hacker from the now-defunct Diginotar Certification Authority (CA). Mis-issued certs generally present the greatest potential danger when they are for the most popular fraud target domains, such as mail.google.com, login.yahoo.com, login.live.com, etc.

    ICANN’s Accelerated gTLD Delegation Process and How This Impacts Your Organization
    December 18, 2013 by Jeremy Rowley Announcement CA/Browser Forum CASC ICANN MITM Mozilla PKI Policy Qualified Revocation SSL/TLS Vulnerability

    After the CASC’s previous letter addressing ICANN’s proposal to delegate nearly 2000 new gTLDs for use on the public Internet, ICANN identified and initiated an extensive study on two significant security issues. Now, based on the conclusions of the studies, ICANN is moving forward quickly with the delegation process, delegating more than 30 in the last two months alone. With ICANN ramping up the delegation process, nearly all 2000 will be delegated under the new rules, with only .corp and .home reserved as high risk gTLDs. This post serves as an advisory for interested network administrator on how the newest ICANN decisions may affect their networks and certificates.

    Securing Software Distribution with Digital Code Signing
    October 16, 2013 by Bruce Morton (Entrust), Jeremy Rowley CASC Code Signing Malware SSL/TLS

    Code signing certificates from publicly trusted Certification Authorities (CAs) fulfill a vital need for authentication of software distributed over the Internet in our interconnected world. As the commonly referred to “Internet of things” continues to grow, consumers have access to millions of applications for their desktops, laptops, and mobile devices. Creative software engineers provide us with applications to cover any of our potential needs or interests. Cybercriminals and others with malicious intent recognize this as an opportunity and seek to trick us into installing malicious software (malware) — programs that hijack our computers, steal our money, or try to inflict harm.

    Certificate Authority Audits and Browser Root Program Requirements
    October 15, 2013 by Kirk Hall (Entrust) AICPA CA/Browser Forum CASC ETSI EV ISO ITU Microsoft Policy Qualified Root Program SSL/TLS WebTrust

    Recent news stories have highlighted the need for strong security in online communications, and use of SSL certificates issued by a publicly trusted Certification Authority (CA) is perhaps the best way to achieve that. But why should the public trust SSL certificates issued from commercial CA roots, which are embedded as trust anchors in web browsers?

    One answer is because of the multiple layers of standards and tough requirements that all commercial CAs must meet – and for which they are audited every year. These standards and requirements have increased from year to year over the past decade.

    Getting the Most Out of SSL Part 2: Configuration
    June 29, 2013 by Ryan Hurst Attack CASC DH Forward Secrecy OpenSSL PKI RC4 RSA SSL/TLS TLS 1.0 TLS 1.2 Vulnerability

    They say the most complicated skill is to be simple; despite SSL and HTTPS having been around for a long time, they still are not as simple as they could be.

    One of the reasons for this is that the security industry is constantly learning more about how to design and build secure systems; as a result, the protocols and software used to secure online services need to continuously evolve to keep up with the latest risks.

    5 Tips for SMBs to Help Secure Their Online Presence
    June 17, 2013 by CA Security Council CASC Identity Malware SSL/TLS Vulnerability

    With National SMB Week upon us, the CASC has come up with its five tips for SMBs to help secure their online presence. By implementing these simple steps SMBs can build trust and loyalty by ensuring their website is safe to visit, search, enter personal information, or complete a transaction.

    1. Create unbreakable passwords – Strong passwords are essential on any account related to your online presence (domain registrar, hosting account, SSL provider, social media, PayPal, etc.). Brute-force attacks where a computer is used to rapidly guess your password are surprisingly common and effective. To prevent your business accounts from being hijacked, we recommend that you use a password generator to create strong passwords and a password safe to store them. Many services now also offer a two-factor authentication option and we recommend that you take advantage of this whenever possible.
    2. Consider an SSL certificate – In today’s world of e-commerce, consumers need to have trust in your brand and your authenticity. If you’re a small business and don’t have the brand identity that your larger competitors enjoy, verifying your identity and trustworthiness with an SSL certificate can make a major difference in your online success. Extended Validation certificates enhance the assurance provided to your customers by displaying your company name in green in their browser’s address bar. Even if your website doesn’t do e-commerce or collect private information, you should consider an SSL certificate to authenticate your business to visitors.
    3. Regularly scan your website for vulnerabilities and malware – It’s common for sites to become infected the same way that your PC can. When this happens, the website might load slowly, display unwanted advertisements, and infect your customer’s computers with more malware. Just as you should run a virus scanner on your PC, it’s a good practice to monitor your site for problems. There are many vendors that will do this automatically and alert you if they find a problem.
    4. Don’t forget updates and patches – Make sure that someone is regularly patching your website. This is especially important if your site is built using popular software like WordPress or Zen Cart. This software is constantly being updated to address security problems, but those updates must be installed on your website, just like installing the latest Windows Updates on your PC. We recommend that you check with your hosting provider or site designer to find out if they are updating your website’s software on a regular basis.
    5. Maintain control – Make sure that you have control over your domain name, SSL certificate, and website. It’s all too common for business owners to hire someone to build their website, and leave that person as the only one with access to the SSL, domain name, and hosting account. When these services come up for renewal or need to be changed, you can run into big problems if you can’t reach the person who originally built the site. We recommend you make sure that someone at your organization is also listed as a contact on these accounts so that you will still be able to maintain continuity with and otherwise manage your certificate, domain name, and hosting account.

    Some Comments on Web Security
    June 5, 2013 by CA Security Council Attack CA/Browser Forum CASC Google IETF Microsoft Mis-issued Policy SSL/TLS

    Steve Johnson of the Mercury News posted an article on Web security and highlighted some of the issues.

    The posted issues help to explain why we created the Certificate Authority Security Council. We want to determine the issues, have them addressed and provide awareness and education on the solutions. The CAs also work with the browsers and other experts in the industry to develop standards for all CAs to be audited against through the CA/Browser Forum.

    CAs Support Standards and Regulations
    May 10, 2013 by Bruce Morton (Entrust) CA/Browser Forum CASC CICA ETSI EV SSL/TLS WebTrust

    There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.

    To provide some history, SSL CAs have always self-policed themselves by having external audits performed. In the ‘90s, the CAs wrote certificate policies and certification practice statements requiring annual compliance audits. Since there were no CA audit criteria, the CAs contracted for SAS 70 audits.

    Recap of NIST’s Workshop on Improving Trust in the Online Marketplace
    April 17, 2013 by Rick Andrews CA/Browser Forum CASC NIST Revocation SSL/TLS

    On April 10 and 11, NIST held a workshop in Maryland to bring together many parties (industry, research and academia communities, and government sectors) to examine “technical and administrative efforts to increase trust online by improving the Public Key Infrastructure certificate marketplace supporting SSL and TLS.”

    From the opening keynote to the final remarks, we heard from experts around the world. There were presentations on the current state of trust infrastructure and audits, the impact of recent breaches, detailed looks on some emerging solutions like Certificate Transparency and DANE, and new ideas to manage and minimize risk in key usage.

    CASC Happenings at NIST
    April 10, 2013 by CA Security Council CASC NIST PKI Policy SSL/TLS TSP

    This week members of the CASC will be attending and speaking at the NIST Workshop on Improving Trust in the Online Marketplace. You can also follow the CASC on Twitter for more information and news at @CertCouncil, as well as see some of the presentations after the events on our SlideShare page. Even if you can’t make it to Maryland, you can still watch the event via the live webcast. Please join us for the following CASC member events:

    Participate in our community discussions and/or join the consortium