PKI Consortium blog

Posts by tag Google

    One Year Certs
    July 9, 2020 by Patrick Nohe (GlobalSign) Apple CA/Browser Forum DV Google Identity Microsoft PKI Policy Root Program SHA1 SHA2 SSL/TLS
    Starting on September 1st, SSL/TLS certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple at the CA/Browser Forum Spring Face-to-Face event in Bratislava back in March.

    The CA Security Council Looks Ahead to 2020 and Beyond
    January 9, 2020 by Patrick Nohe (GlobalSign), Doug Beattie (GlobalSign) Apple CA/Browser Forum Chrome Edge Encryption EV Firefox Forward Secrecy GDPR Google Identity Microsoft Mozilla PKI Policy Qualified SSL 3.0 SSL/TLS TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 Web PKI
    A whirlwind of activity will cause dramatic shifts across the PKI world in the year ahead Suffice it to say that 2019 was filled with challenges and contentiousness as Certificate Authorities and Browsers began to watch their shared visions diverge. The debate around Extended Validation continued as CAs pushed for a range of reforms and browsers pushed to strip its visual indicators. And a ballot to shorten maximum certificate validity periods exposed fault-lines at the CAB Forum.

    Online Identity Is Important: Let’s Upgrade Extended Validation
    October 21, 2019 by Patrick Nohe (GlobalSign) Apple CA/Browser Forum Chrome Code Signing Encryption EV Google Identity Mozilla Phishing SSL/TLS
    It’s time for the CA/Browser Forum to focus on the other half of its mandate Let’s have a candid discussion about Extended Validation SSL. What’s working. What’s NOT. And what can be done to fix it so that all parties involved are satisfied. But first, let’s zoom out and talk big picture. The vast majority of website owners almost never think of SSL. They worry about it once every year or so when it needs to be replaced, but it’s not really a major point of consideration.

    The Insecure Elephant in the Room
    October 10, 2019 by Paul Walsh 2FA Android Attack Chrome DV Encryption EV Firefox Google Identity Malware Microsoft Mozilla Phishing Policy Revocation SSL/TLS Vulnerability W3C
    The purpose of this article The purpose of this article is to demonstrate why I believe browser-based UI for website identity can make the web safer for everyone. I explain in great detail, the reasons why the UI and UX didn’t work in the past. And what’s left is only making the problem worse instead of better. Some people seem to find it difficult to consume my thoughts about the enforcement of “HTTPS EVERYWHERE”, free DV certs and the browser padlock.

    Why Are You Removing Website Identity, Google and Mozilla?
    August 27, 2019 by Kirk Hall (Entrust), Tim Callan (Sectigo) CA/Browser Forum Chrome DV Encryption EV Firefox GDPR Google Identity Malware Mozilla Phishing SSL/TLS
    You can’t have consumer privacy without having strong website identity Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? Extended Validation (EV) certificates provide this information and can be very useful for consumers. Recently, Google and Mozilla have announced plan to eliminate the distinctive indicators in the Chrome and Firefox browsers that let consumers know that they are looking at a site authenticated with an EV certificate.

    CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly
    December 6, 2018 by Bruce Morton (Entrust), Chris Bailey (Entrust), Jay Schiavo (Entrust) Apple Attack CASC Chrome DV Encryption EV Firefox Google Identity IETF Malware Microsoft Phishing SSL/TLS TLS 1.0 TLS 1.2 TLS 1.3
    As the legendary coach of the NY Yankees Yogi Berra allegedly said, “It’s difficult to make predictions, especially about the future.” But we’re going to try. Here are the CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly. The Good Prediction: By the end of 2019, over 90% of the world’s http traffic will be secured over SSL/TLS Encryption boosts user security and privacy, and the combined efforts of browsers and Certification Authorities (CAs) over the past few years have moved us rapidly to a world approaching 100% encryption.

    Fortify Allows Users to Generate X.509 Certificates in Their Browser
    June 19, 2018 by Tim Hollebeek Chrome Code Signing Encryption Firefox Google HSM Microsoft Mozilla S/MIME W3C
    Fortify, an open source application sponsored by Certificate Authorities through the CA Security Council, is now available for Windows and Mac. The Fortify app, which is free for all users, connects a user’s web browsers to smart cards, security tokens, and certificates on a user’s local machine. This can allow users to generate X.509 certificates in their browser, replacing the need for the deprecated <keygen> functionality. Certificate Generation In The Browser The Web Cryptography API, also known as Web Crypto, provides a set of cryptographic capabilities for web browsers through a set of JavaScript APIs.

    Chrome Will Show Not Secure for all HTTP Sites Starting July 2018
    February 15, 2018 by Bruce Morton (Entrust) Android Chrome Google HSTS Phishing SSL/TLS Vulnerability
    Through 2017 and into 2018, we have seen the use of HTTPS grow substantially. Last Fall Google announced the following status: Over 68% of Chrome traffic on both Android and Windows is now protected Over 78% of Chrome traffic on both Chrome OS and Mac is now protected 81 of the top 100 sites on the web use HTTPS by default Google helped to drive this growth by implementing the “Secure” and “Not secure” status in Chrome’s status bar.

    2018 – Looking Back, Moving Forward
    January 6, 2018 by Bruce Morton (Entrust) Attack CA/Browser Forum CAA Certificate Expiry Chrome ECC Encryption Google Microsoft Mis-issued OV PDF PKI ROCA RSA SSL/TLS TLS 1.3 Vulnerability
    Looking Back at 2017 2017 saw the end of SHA-1 in public trust SSL/TLS certificates and the start of Certification Authority Authorization (CAA) allowing domain owners to authorize their CA. A “Not secure” browser indication was propagated to push more websites to support HTTPS. There was also a change in the certification authority (CA) ownership with DigiCert acquiring Symantec’s SSL and related PKI business and Francisco Partners buying Comodo’s CA.

    How Browser Security Indicators Can Protect You from Phishing
    June 6, 2017 by Chris Bailey (Entrust), Kirk Hall (Entrust) Chrome DV Encryption EV Google Identity Phishing SSL/TLS
    The media is full of stories about how phishing sites are moving rapidly to encryption using anonymous, free DV certificates they use to imitate login pages for popular sites, such as paypal.com. As noted in the article PayPal Phishing Certificates Far More Prevalent than Previously Thought, more than 14,000 DV SSL certificates have been issued to PayPal phishing sites since the start of 2016. Based on a random sample, 96.

    Participate in our community discussions and/or join the consortium