Logo

PKI Consortium blog

Posts by tag Identity

    What Are the Different Types of SSL Certificates?
    August 7, 2013 by Dean Coclin DV Encryption EV Identity Phishing SSL/TLS

    Domain Validation (DV)

    A Domain Validated SSL certificate is issued after proof that the owner has the right to use their domain is established. This is typically done by the CA sending an email to the domain owner (as listed in a WHOIS database). Once the owner responds, the certificate is issued. Many CAs perform additional fraud checks to minimize issuance of a certificate to a domain which may be similar to a high value domain (i.e. Micros0ft.com, g00gle.com, b0fay.com). The certificate only contains the domain name. Because of the minimal checks performed, this certificate is typically issued quicker than other types of certificates. While the browser displays a padlock, examination of the certificate will not show the company name as this was not validated.

    5 Tips for SMBs to Help Secure Their Online Presence
    June 17, 2013 by CA Security Council CASC Identity Malware SSL/TLS Vulnerability

    With National SMB Week upon us, the CASC has come up with its five tips for SMBs to help secure their online presence. By implementing these simple steps SMBs can build trust and loyalty by ensuring their website is safe to visit, search, enter personal information, or complete a transaction.

    1. Create unbreakable passwords – Strong passwords are essential on any account related to your online presence (domain registrar, hosting account, SSL provider, social media, PayPal, etc.). Brute-force attacks where a computer is used to rapidly guess your password are surprisingly common and effective. To prevent your business accounts from being hijacked, we recommend that you use a password generator to create strong passwords and a password safe to store them. Many services now also offer a two-factor authentication option and we recommend that you take advantage of this whenever possible.
    2. Consider an SSL certificate – In today’s world of e-commerce, consumers need to have trust in your brand and your authenticity. If you’re a small business and don’t have the brand identity that your larger competitors enjoy, verifying your identity and trustworthiness with an SSL certificate can make a major difference in your online success. Extended Validation certificates enhance the assurance provided to your customers by displaying your company name in green in their browser’s address bar. Even if your website doesn’t do e-commerce or collect private information, you should consider an SSL certificate to authenticate your business to visitors.
    3. Regularly scan your website for vulnerabilities and malware – It’s common for sites to become infected the same way that your PC can. When this happens, the website might load slowly, display unwanted advertisements, and infect your customer’s computers with more malware. Just as you should run a virus scanner on your PC, it’s a good practice to monitor your site for problems. There are many vendors that will do this automatically and alert you if they find a problem.
    4. Don’t forget updates and patches – Make sure that someone is regularly patching your website. This is especially important if your site is built using popular software like WordPress or Zen Cart. This software is constantly being updated to address security problems, but those updates must be installed on your website, just like installing the latest Windows Updates on your PC. We recommend that you check with your hosting provider or site designer to find out if they are updating your website’s software on a regular basis.
    5. Maintain control – Make sure that you have control over your domain name, SSL certificate, and website. It’s all too common for business owners to hire someone to build their website, and leave that person as the only one with access to the SSL, domain name, and hosting account. When these services come up for renewal or need to be changed, you can run into big problems if you can’t reach the person who originally built the site. We recommend you make sure that someone at your organization is also listed as a contact on these accounts so that you will still be able to maintain continuity with and otherwise manage your certificate, domain name, and hosting account.

    The Importance of Revocation Checking Part 2: A Real World Example
    March 11, 2013 by Wayne Thayer Attack Code Signing CRL Encryption Identity Malware OCSP Revocation SSL/TLS

    Just last week, a new security incident related to certificate revocation checking made headlines. It was discovered that a legitimate website was hosting a malicious Java application that installed malware on the computers of people who visited the site. This comes after recent updates that introduced Security Level settings in Java, and then raised the default from Medium to High. At the high level, users are shown a warning before any unsigned Java code is executed. Unfortunately, this recent incident exposed a method that allows an attacker to bypass the warning.

    The Importance of Checking for Certificate Revocation
    March 9, 2013 by Rick Andrews Attack CRL Identity Malware MITM OCSP Revocation SSL/TLS

    Certificates are typically valid for one to three years, and during that time it’s possible that the web site owner or the CA realizes that end users should not trust the certificate. There are several cases in which this might happen, including these:

    • The web site owner ceases doing business, no longer owns the domain name used in the certificate, has changed their organization name, or wishes to shut down the web server.
    • The subscriber learns that an unauthorized party has gained access to the private key associated with the public key in the certificate.
    • The CA learns that errors were made in authentication, the subscriber misrepresented some material info used in the authentication process, or the subscriber has violated the terms of its agreement with the CA.

    When the subscriber or CA makes the decision to revoke a certificate, that decision must be conveyed to end users who encounter the certificate in use. There are two different methods for this:

    CASC Happenings at RSA
    February 25, 2013 by CA Security Council Attack CASC Identity PKI RSA SSL/TLS

    We are excited to have members of the CASC attending and speaking at this year’s RSA Conference. The events and panels will cover various topics that revolve around the security of the Internet and CAs as a whole. You can follow the CASC on Twitter for more information and news at @CertCouncil, as well as see some of the presentations after the events on our SlideShare page. Please join us for the following CASC member events:

    Participate in our community discussions and/or join the consortium