Logo

PKI Consortium blog

Posts by tag CSR

    Heartbleed Bug Vulnerability: Discovery, Impact and Solution
    April 9, 2014 by Jeremy Rowley Attack BEAST CASC CSR DTLS Encryption Google OpenSSL SSL/TLS TLS 1.0 TLS 1.1 Vulnerability

    On April 7, 2014, a vulnerability in the OpenSSL cryptographic library was announced to the Internet community. Aptly labeled as the Heartbleed bug, this vulnerability affects OpenSSL versions 1.0.1 through 1.0.1f (inclusive). The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The flaw is not related or introduced by publicly trusted certificates and is instead a problem with server software.

    Ten Steps to Take If Your Website Is Compromised
    February 12, 2014 by Wayne Thayer CSR Encryption Google Malware SSH SSL/TLS Vulnerability

    After the news broke that 40 million credit card numbers were stolen from Target in a data breach of epic proportions, many of their customers went to work checking their accounts for fraudulent purchases and replacing cards we’d used recently at Target. These have become standard responses to news of this sort. In much the same way, there are some common actions that you should be aware of if your website becomes compromised.

    How Organizations Are Authenticated for SSL Certificates
    November 22, 2013 by Kirk Hall (Entrust) CA/Browser Forum CSR DV EV Identity OV Phishing Policy SSL/TLS

    Certification Authorities (CAs) are trusted third parties that authenticate customers before issuing SSL certificates to secure their servers.

    Exactly how do CAs authenticate these organizations? And where are the rules that determine what CAs must do during authentication?

    The Rules on Customer Authentication

    In the past, there were no common rules applicable to CAs as to minimum steps required to authenticate a customer before issuing an SSL certificate. Instead, each CA was permitted to create its own authentication processes, and was only required to describe the process in general terms in its public Certification Practice Statement (CPS). In many cases, the CPS authentication description was vague and hard to understand, and some CAs were less diligent than others during authentication.

    Getting the Most Out of SSL Part 1: Choose the Right Certificate
    May 25, 2013 by Wayne Thayer CSR ECC Microsoft RSA SHA2 SSL/TLS

    SSL and HTTPS are two of the most common security technologies on the internet today, but at the same time their use can be complex and challenging to get right. Over the next few weeks, we’ll be publishing a series of articles aimed at identifying some of the decisions that need to be made when buying, installing, and using SSL certificates. In this first installment, I’ll discuss some of the issues to consider when buying and requesting a certificate.

    Participate in our community discussions and/or join the consortium