PKI Consortium blog
Posts by tag Microsoft
Always-On SSL
September 30, 2016 by
Rick Andrews, Ben Wilson
Encryption
Firefox
Google
Identity
Microsoft
Mixed Content
OpenSSL
Policy
Qualified
SSL/TLS
There is no doubt that content owners and publishers have a duty to encourage trust and the confidence during internet usage by adopting security best practices. If a customer believes that their data and identity are safe and protected, they are more inclined to continue their online transactions. Industry best practices for website protection should be vendor-neutral, easy to implement, and globally accessible. Websites should take all the reasonable steps possible to adopt best practices in secure design and implementation, and this includes using Always-On SSL across the entire website.
Minimum Requirements for Code Signing Certificates
July 20, 2016 by
Bruce Morton
(Entrust)
CA/Browser Forum
CASC
Code Signing
FIPS
HSM
Malware
Microsoft
Revocation
TSA
It is time for an update on the Baseline Requirements for Code Signing.
First the bad news, the new standard was not approved by the CA/Browser Forum due to philosophical differences among some forum members who felt code signing was not in scope with the Forum’s charter.
The good news is the document was created in a multi-stakeholder environment and substantially improves the current management processes. As such, it was decided to bring the document outside of the forum and finalize it as part of the CA Security Council.
2016 – Looking Back, Moving Forward
December 14, 2015 by
Bruce Morton
(Entrust)
Attack
CA/Browser Forum
CAA
Chrome
Code Signing
DH
Encryption
Firefox
Google
Hash Function
IETF
Microsoft
MITM
OpenSSL
Policy
RC4
Revocation
RSA
SSL/TLS
TLS 1.2
TLS 1.3
Vulnerability
Looking Back at 2015 A number of new tactics proved 2015 was no exception to an active year defending against ever increasing security issues. Vendors found new and creative ways to provide vulnerabilities including the now popular man-in-the-middle (MitM) attacks. MitM as well as a host of other new vulnerabilities caused browsers to rethink their security requirements. This article gives a flashback of the exploits and industry changes from 2015 and looks ahead at the latest security requirements and how it impacts IT security teams.
What Are “Application Reputation” and “Publisher Reputation”?
August 27, 2015 by
Ben Wilson
Code Signing
Malware
Microsoft
As one dog says to the other in Peter Steiner’s classic New Yorker cartoon– “On the Internet, nobody knows you’re a dog.”
Software downloaded from the Internet is similar to people on the Internet–it is hard to tell which ones are dogs–without help, which is what “application reputation” technology provides. “Application reputation” and “publisher reputation” are methods employed by Microsoft’s SmartScreen and other systems to distinguish good software from bad software as it is downloaded from the Internet.
HTTP/2 Is Speedy and Secure
April 20, 2015 by
Wayne Thayer
Announcement
Chrome
Firefox
Forward Secrecy
Google
HSTS
IETF
Microsoft
Mozilla
SSL/TLS
Vulnerability
Since we last wrote about SSL/TLS performance, there has been a lot of activity in the IETF HTTP Working Group, resulting in the February announcement that the next version of HTTP has been approved. This is big news because it means that major SSL/TLS performance improvements are on the way.
Background When your browser connects to a website today, it most likely uses the HTTP/1.1 protocol that was defined in 1999 in RFC 2616.
Microsoft Deploys Certificate Reputation
April 9, 2015 by
Bruce Morton
(Entrust)
EV
Google
Identity
Microsoft
Mis-issued
SSL/TLS
As we have stated previously, website owners have a concern that an attacker can have a certificate issued for their domain name. We now have two systems which will help monitor certificates for domains: Certificate Transparency (CT) and Certificate Reputation.
At the start of 2015, most certification authorities (CAs) support CT as requested by Google. CT works for extended validation (EV) SSL certificates and will allow all EV certificates to be monitored.
Is Your SSL Server Vulnerable to a FREAK Attack?
March 11, 2015 by
Bruce Morton
(Entrust)
Android
Attack
Encryption
Forward Secrecy
Microsoft
MITM
RSA
SSL/TLS
Vulnerability
FREAK is a new man-in-the-middle (MITM) vulnerability discovered by a group of cryptographers at INRIA, Microsoft Research and IMDEA. FREAK stands for “Factoring RSA-EXPORT Keys.”
The vulnerability dates back to the 1990s, when the US government banned selling crypto software overseas, unless it used export cipher suites which involved encryption keys no longer than 512-bits.
The issue is there are still some clients who let crypto be degraded from “strong RSA” to “export grade RSA”.
Lenovo Enables Man-in-the-Middle Attacks Via Superfish Adware
February 20, 2015 by
Doug Beattie
(GlobalSign)
Attack
Code Signing
Firefox
Malware
Microsoft
MITM
Mixed Content
SSL/TLS
Vulnerability
Lenovo is selling computers that contain the Superfish application which “supplements” the user’s SSL sessions to enable their adware application to deliver content transparently; however, due to poor security design this leaves users vulnerable to man-in-the-middle attacks.
How it was supposed to work Superfish uses the program “Visual Discovery” to process images in browser content and then displays ads for similar goods and services. This sounds like any other adware application, but in order to maintain SSL sessions and not alert users with security warnings, Superfish is serving up these images over https.
2015 – Looking Back, Moving Forward
January 6, 2015 by
Bruce Morton
(Entrust)
Apple
Attack
CA/Browser Forum
CAA
Chrome
Code Signing
EV
Firefox
Forward Secrecy
Google
IETF
Malware
Microsoft
MITM
Mozilla
OpenSSL
PKI
Policy
RSA
SHA1
SSL 3.0
SSL/TLS
TLS 1.0
TLS 1.2
TLS 1.3
Vulnerability
Looking Back at 2014 End of 1024-Bit Security In 2014, the SSL industry moved to issuing a minimum security of 2048-bit RSA certificates. Keys smaller than 2048 are no longer allowed in server certificates. In addition, Microsoft and Mozilla started to remove 1024-bit roots from their certificate stores. Hopefully, the key size change will support users through to 2030.
Push to Perfect Forward Secrecy Following the Edward Snowden revelations of pervasive surveillance, there was a big push to configure web servers to support Perfect Forward Secrecy.
Code Signing Baseline Requirements
October 20, 2014 by
Jeremy Rowley
CA/Browser Forum
CASC
Code Signing
Malware
Microsoft
Vulnerability
Code signing certificates are used to sign software objects to authenticate that they originated from a verified source, allowing developers to avoid warnings commonly displayed by application software vendors such as Microsoft operating systems and Java. A fraudulent code signing certificate can wreak havoc on networks, spreading malware and adware without restraint. Certificate Authorities are tasked with ensuring that code signing applicants are legitimate entities and provide accountability for use of the certificate.