PKI Consortium blog

Posts by tag SSL/TLS

One Year Certs
July 9, 2020 by Patrick Nohe (GlobalSign) Apple CA/Browser Forum DV Google Identity Microsoft PKI Policy Root Program SHA1 SHA2 SSL/TLS
Starting on September 1st, SSL/TLS certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple at the CA/Browser Forum Spring Face-to-Face event in Bratislava back in March.

Could Quantum Computing Help Stave Off the Next Great Pandemic?
June 11, 2020 by Patrick Nohe (GlobalSign) Quantum RSA SSL/TLS
As we settle into month two of isolation in the world’s collective battle against the COVID-19 pandemic, one talking point you’ve undoubtedly heard time and again is that this won’t truly be over until there’s a vaccine. A post about how quantum computing could simplify it and reduce the time it takes exponentially.

How to do HTTPS … The Right Way
June 2, 2020 by Corey Bonnell (DigiCert) CAA Identity Phishing Site Seal SSL/TLS
With secure HTTP — aka HTTPS (the “S” is short for “secure”) — swiftly becoming universal on the Internet, it is important to know how to configure HTTPS for your website the right way. The payoff for properly securing your website has many benefits.

Don’t ‘Compromise’ Your Code Amid Malware Mayhem
May 12, 2020 by Abul Salek (Sectigo) CA/Browser Forum Code Signing EV FIPS HSM Malware Microsoft Phishing SSL/TLS
Code Signing Certificates demand a price premium in the underground online marketplace. This is no surprise considering that criminals sometimes use them to dupe their potential victims into installing malware in their machine.

Digital Trust Is Elusive – Are Qualified Trust Services A Solution?
May 1, 2020 by Sebastian Schulz Attack eIDAS ENISA ETSI Phishing Policy QTSP Qualified SSL/TLS Trust List TSP
A popular saying goes: “Trust takes years to build, seconds to break, and forever to repair.” While I wouldn’t completely agree, the idea isn’t wrong. In real life trust between two parties is established over some period of time, depending on a variety of factors. Have you ever wondered why you initially trust some people more and others less, even if you’ve never met them before? There are a complicated multitude of factors that influence our thoughts: the person’s appearance, tone of voice, title or rank, etc.

5 Ways to Keep Up with Authentication Certificates
February 24, 2020 by Arvid Vermote Code Signing Encryption Identity ISO Malware Microsoft PKI SSL/TLS
When it comes to protecting an organization’s data and users, CISOs have no shortage of hurdles. Identity attacks have become sophisticated and convincing, thanks to ransomware, phishing and deep fakes. CISOs have long known the importance of strong identification and authentication controls, but with threats constantly changing and intensifying, having these controls in place is just one piece of the puzzle; they must be managed correctly in order to do their job.

The CA Security Council Looks Ahead to 2020 and Beyond
January 9, 2020 by Patrick Nohe (GlobalSign), Doug Beattie (GlobalSign) Apple CA/Browser Forum Chrome Edge Encryption EV Firefox Forward Secrecy GDPR Google Identity Microsoft Mozilla PKI Policy Qualified SSL 3.0 SSL/TLS TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 Web PKI
A whirlwind of activity will cause dramatic shifts across the PKI world in the year ahead Suffice it to say that 2019 was filled with challenges and contentiousness as Certificate Authorities and Browsers began to watch their shared visions diverge. The debate around Extended Validation continued as CAs pushed for a range of reforms and browsers pushed to strip its visual indicators. And a ballot to shorten maximum certificate validity periods exposed fault-lines at the CAB Forum.

Chrome Kills Mixed Content for HTTPS
December 6, 2019 by Bruce Morton (Entrust) Attack Chrome Firefox Mixed Content Policy SSL/TLS
In a phased approach, Chrome plans to block mixed content on secure websites to improve user security. Most browsers already block some mixed content such as scripts and iframes by default. Chrome is amping it up by gradually taking steps to also block images, audio recordings and videos, according to a recent Google Security blog. Preventing mixed content to load will eventually result in HTTPS websites losing their security indicator downgrading the site to HTTP, which alerts visitors that the site is not secure.

Online Identity Is Important: Let’s Upgrade Extended Validation
October 21, 2019 by Patrick Nohe (GlobalSign) Apple CA/Browser Forum Chrome Code Signing Encryption EV Google Identity Mozilla Phishing SSL/TLS
It’s time for the CA/Browser Forum to focus on the other half of its mandate Let’s have a candid discussion about Extended Validation SSL. What’s working. What’s NOT. And what can be done to fix it so that all parties involved are satisfied. But first, let’s zoom out and talk big picture. The vast majority of website owners almost never think of SSL. They worry about it once every year or so when it needs to be replaced, but it’s not really a major point of consideration.

The Insecure Elephant in the Room
October 10, 2019 by Paul Walsh 2FA Android Attack Chrome DV Encryption EV Firefox Google Identity Malware Microsoft Mozilla Phishing Policy Revocation SSL/TLS Vulnerability W3C
The purpose of this article The purpose of this article is to demonstrate why I believe browser-based UI for website identity can make the web safer for everyone. I explain in great detail, the reasons why the UI and UX didn’t work in the past. And what’s left is only making the problem worse instead of better. Some people seem to find it difficult to consume my thoughts about the enforcement of “HTTPS EVERYWHERE”, free DV certs and the browser padlock.

Participate in our community discussions and/or join the consortium