PKI Consortium blog
Posts by tag Malware
Don’t ‘Compromise’ Your Code Amid Malware Mayhem
May 12, 2020 by
Abul Salek
(Sectigo)
CA/Browser Forum
Code Signing
EV
FIPS
HSM
Malware
Microsoft
Phishing
SSL/TLS
Code Signing Certificates demand a price premium in the underground online marketplace. This is no surprise considering that criminals sometimes use them to dupe their potential victims into installing malware in their machine.
5 Ways to Keep Up with Authentication Certificates
February 24, 2020 by
Arvid Vermote
Code Signing
Encryption
Identity
ISO
Malware
Microsoft
PKI
SSL/TLS
When it comes to protecting an organization’s data and users, CISOs have no shortage of hurdles. Identity attacks have become sophisticated and convincing, thanks to ransomware, phishing and deep fakes. CISOs have long known the importance of strong identification and authentication controls, but with threats constantly changing and intensifying, having these controls in place is just one piece of the puzzle; they must be managed correctly in order to do their job.
The Insecure Elephant in the Room
October 10, 2019 by
Paul Walsh
2FA
Android
Attack
Chrome
DV
Encryption
EV
Firefox
Google
Identity
Malware
Microsoft
Mozilla
Phishing
Policy
Revocation
SSL/TLS
Vulnerability
W3C
The purpose of this article
The purpose of this article is to demonstrate why I believe browser-based UI for website identity can make the web safer for everyone. I explain in great detail, the reasons why the UI and UX didn’t work in the past. And what’s left is only making the problem worse instead of better.
Why Are You Removing Website Identity, Google and Mozilla?
August 27, 2019 by
Kirk Hall
(Entrust),
Tim Callan
(Sectigo)
CA/Browser Forum
Chrome
DV
Encryption
EV
Firefox
GDPR
Google
Identity
Malware
Mozilla
Phishing
SSL/TLS
You can’t have consumer privacy without having strong website identity
Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? Extended Validation (EV) certificates provide this information and can be very useful for consumers.
9 Common Myths About CAs
August 1, 2019 by
Tim Callan
(Sectigo)
CA/Browser Forum
CASC
Code Signing
Encryption
ETSI
Identity
Malware
PKI
Qualified
Revocation
SSL/TLS
Vulnerability
WebTrust
Over the years misconceptions about CAs and the SSL infrastructure have arisen. Below is a list of common myths related to SSL and CAs.
Myth #1: CAs are not regulated
Fact: CAs are subject to various checks and balances, including third-party qualified audits through WebTrust or ETSI and strict criteria set forth by leading browsers, before they are accepted in browser root stores. Similarly, the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines establish global standards for certificate issuance and CA controls that will soon be included in third-party auditing standards. Browsers are free to use these requirements to exclude non-compliant CAs from the root store.
CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly
December 6, 2018 by
Bruce Morton
(Entrust),
Chris Bailey
(Entrust),
Jay Schiavo
(Entrust)
Apple
Attack
CASC
Chrome
DV
Encryption
EV
Firefox
Google
Identity
IETF
Malware
Microsoft
Phishing
SSL/TLS
TLS 1.0
TLS 1.2
TLS 1.3
As the legendary coach of the NY Yankees Yogi Berra allegedly said, “It’s difficult to make predictions, especially about the future.” But we’re going to try.
Here are the CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly.
The Good
Prediction: By the end of 2019, over 90% of the world’s http traffic will be secured over SSL/TLS
2017 – Looking Back, Moving Forward
January 13, 2017 by Bruce Morton (Entrust) 3DES Apple Attack CA/Browser Forum CAA Chrome Code Signing Encryption Firefox Google Identity Malware MITM Policy Revocation RSA SSL 3.0 SSL/TLS TLS 1.3 TSA VulnerabilityLooking Back at 2016
Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some researchers did prove old cryptography algorithms should be put out to pasture. The year showed the end of public-trusted SHA-1 SSL/TLS certificates. It also showed more transparency should be considered due to issues discovered with a few certification authorities (CAs). The great news is HTTPS is no longer the minority — after 20 years, connections using HTTPS has surpassed HTTP.
Leading Certificate Authorities and Microsoft Introduce New Standards to Protect Consumers Online
December 8, 2016 by CA Security Council CASC Code Signing FIPS HSM Identity Malware Microsoft Revocation SSL/TLS TSASan Francisco –December 8, 2016 – the Certificate Authority Security Council (CASC), an advocacy group committed to the advancement web security, today announced the Code Signing Working Group has released new Minimum Requirements for Code Signing for use by all Certificate Authorities (CA). These requirements represent the first-ever standardized code signing guidelines. Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted. Helping to verify software authenticity and avoid downloading malware and other malicious software is critical to protecting consumers’ online interactions. Microsoft is the first applications software vendor to adopt these guidelines, with others expected to follow.
Minimum Requirements for Code Signing Certificates
July 20, 2016 by Bruce Morton (Entrust) CA/Browser Forum CASC Code Signing FIPS HSM Malware Microsoft Revocation TSAIt is time for an update on the Baseline Requirements for Code Signing.
First the bad news, the new standard was not approved by the CA/Browser Forum due to philosophical differences among some forum members who felt code signing was not in scope with the Forum’s charter.
The good news is the document was created in a multi-stakeholder environment and substantially improves the current management processes. As such, it was decided to bring the document outside of the forum and finalize it as part of the CA Security Council. The CASC members and others will continue to enhance and manage the document. Microsoft also supports the document and has added the requirement to use the new standard for code signing certificates by February 1, 2017.
Moving to Always on HTTPS, Part 1 of 2; Marking HTTP as Unsecure
February 3, 2016 by Ben Wilson Chrome Firefox Google HSTS Malware Mixed Content Mozilla SSL/TLS VulnerabilityOver the past several years there has been increased discussion about deprecating HTTP and making HTTPS the default protocol for the World Wide Web. (HTTP stands for “HyperText Transfer Protocol” and the “S” in HTTPS is enabled with an SSL/TLS digital certificate properly installed and configured on a web server.) These discussions have taken place in the context of browser security indications and technical improvements simplifying the global movement to “Always on HTTPS.” Part 1 of this two-part blog post will address browser security indicators, while Part 2 discusses technical developments to make HTTPS the default protocol when browsing the web.
