PKI Consortium blog
Posts by tag Malware
Don’t ‘Compromise’ Your Code Amid Malware Mayhem
May 12, 2020 by
Abul Salek
(Sectigo)
CA/Browser Forum
Code Signing
EV
FIPS
HSM
Malware
Microsoft
Phishing
SSL/TLS
Code Signing Certificates demand a price premium in the underground online marketplace. This is no surprise considering that criminals sometimes use them to dupe their potential victims into installing malware in their machine.
5 Ways to Keep Up with Authentication Certificates
February 24, 2020 by
Arvid Vermote
Code Signing
Encryption
Identity
ISO
Malware
Microsoft
PKI
SSL/TLS
When it comes to protecting an organization’s data and users, CISOs have no shortage of hurdles. Identity attacks have become sophisticated and convincing, thanks to ransomware, phishing and deep fakes. CISOs have long known the importance of strong identification and authentication controls, but with threats constantly changing and intensifying, having these controls in place is just one piece of the puzzle; they must be managed correctly in order to do their job.
The Insecure Elephant in the Room
October 10, 2019 by
Paul Walsh
2FA
Android
Attack
Chrome
DV
Encryption
EV
Firefox
Google
Identity
Malware
Microsoft
Mozilla
Phishing
Policy
Revocation
SSL/TLS
Vulnerability
W3C
The purpose of this article The purpose of this article is to demonstrate why I believe browser-based UI for website identity can make the web safer for everyone. I explain in great detail, the reasons why the UI and UX didn’t work in the past. And what’s left is only making the problem worse instead of better.
Some people seem to find it difficult to consume my thoughts about the enforcement of “HTTPS EVERYWHERE”, free DV certs and the browser padlock.
Why Are You Removing Website Identity, Google and Mozilla?
August 27, 2019 by
Kirk Hall
(Entrust),
Tim Callan
(Sectigo)
CA/Browser Forum
Chrome
DV
Encryption
EV
Firefox
GDPR
Google
Identity
Malware
Mozilla
Phishing
SSL/TLS
You can’t have consumer privacy without having strong website identity Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? Extended Validation (EV) certificates provide this information and can be very useful for consumers.
Recently, Google and Mozilla have announced plan to eliminate the distinctive indicators in the Chrome and Firefox browsers that let consumers know that they are looking at a site authenticated with an EV certificate.
9 Common Myths About CAs
August 1, 2019 by
Tim Callan
(Sectigo)
CA/Browser Forum
CASC
Code Signing
Encryption
ETSI
Identity
Malware
PKI
Qualified
Revocation
SSL/TLS
Vulnerability
WebTrust
Over the years misconceptions about CAs and the SSL infrastructure have arisen. Below is a list of common myths related to SSL and CAs.
Myth #1: CAs are not regulated Fact: CAs are subject to various checks and balances, including third-party qualified audits through WebTrust or ETSI and strict criteria set forth by leading browsers, before they are accepted in browser root stores. Similarly, the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines establish global standards for certificate issuance and CA controls that will soon be included in third-party auditing standards.
CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly
December 6, 2018 by
Bruce Morton
(Entrust),
Chris Bailey
(Entrust),
Jay Schiavo
(Entrust)
Apple
Attack
CASC
Chrome
DV
Encryption
EV
Firefox
Google
Identity
IETF
Malware
Microsoft
Phishing
SSL/TLS
TLS 1.0
TLS 1.2
TLS 1.3
As the legendary coach of the NY Yankees Yogi Berra allegedly said, “It’s difficult to make predictions, especially about the future.” But we’re going to try.
Here are the CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly.
The Good Prediction: By the end of 2019, over 90% of the world’s http traffic will be secured over SSL/TLS
Encryption boosts user security and privacy, and the combined efforts of browsers and Certification Authorities (CAs) over the past few years have moved us rapidly to a world approaching 100% encryption.
2017 – Looking Back, Moving Forward
January 13, 2017 by
Bruce Morton
(Entrust)
3DES
Apple
Attack
CA/Browser Forum
CAA
Chrome
Code Signing
Encryption
Firefox
Google
Identity
Malware
MITM
Policy
Revocation
RSA
SSL 3.0
SSL/TLS
TLS 1.3
TSA
Vulnerability
Looking Back at 2016 Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some researchers did prove old cryptography algorithms should be put out to pasture. The year showed the end of public-trusted SHA-1 SSL/TLS certificates. It also showed more transparency should be considered due to issues discovered with a few certification authorities (CAs). The great news is HTTPS is no longer the minority — after 20 years, connections using HTTPS has surpassed HTTP.
Leading Certificate Authorities and Microsoft Introduce New Standards to Protect Consumers Online
December 8, 2016 by
CA Security Council
CASC
Code Signing
FIPS
HSM
Identity
Malware
Microsoft
Revocation
SSL/TLS
TSA
San Francisco –December 8, 2016 – the Certificate Authority Security Council (CASC), an advocacy group committed to the advancement web security, today announced the Code Signing Working Group has released new Minimum Requirements for Code Signing for use by all Certificate Authorities (CA). These requirements represent the first-ever standardized code signing guidelines. Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted.
Minimum Requirements for Code Signing Certificates
July 20, 2016 by
Bruce Morton
(Entrust)
CA/Browser Forum
CASC
Code Signing
FIPS
HSM
Malware
Microsoft
Revocation
TSA
It is time for an update on the Baseline Requirements for Code Signing.
First the bad news, the new standard was not approved by the CA/Browser Forum due to philosophical differences among some forum members who felt code signing was not in scope with the Forum’s charter.
The good news is the document was created in a multi-stakeholder environment and substantially improves the current management processes. As such, it was decided to bring the document outside of the forum and finalize it as part of the CA Security Council.
Moving to Always on HTTPS, Part 1 of 2; Marking HTTP as Unsecure
February 3, 2016 by
Ben Wilson
Chrome
Firefox
Google
HSTS
Malware
Mixed Content
Mozilla
SSL/TLS
Vulnerability
Over the past several years there has been increased discussion about deprecating HTTP and making HTTPS the default protocol for the World Wide Web. (HTTP stands for “HyperText Transfer Protocol” and the “S” in HTTPS is enabled with an SSL/TLS digital certificate properly installed and configured on a web server.) These discussions have taken place in the context of browser security indications and technical improvements simplifying the global movement to “Always on HTTPS.