June 2011 - Entrust, Inc. 1-10 of 17
Addressing Mixed Content Vulnerabilities
I fail to understand why website operators continue to deploy sites with Mixed Content. Are the following trust dialogues presented to their users not sufficient incentive to correct the problem? Nevertheless, a recent study showed that 22 percent of sites use Mixed Content. Internet Explorer (IE) and Firefox present these security dialogues by default. That [Read More...]
FFIEC – New Guidance Supplement Hits the streets
As alluded to in last week’s blog entry, banking security needs vast improvement. As a sign that the government is beginning to understand this, the FFIEC announced in a press release today, a supplement to the “Authentication in an Internet Banking Environment.” The new supplement attempts to establish minimum control expectations for online banking activities [Read More...]
SSL Session Resume
Yngve Pettersen of Opera has written a great article on SSL Session Resume. The SSL session resumption feature in the SSL/TLS protocol allows multiple connections to use the same negotiated secret key data to calculate encryption keys for the connection. This allows a secure connection to be re-established very quickly with no loss of security, [Read More...]
KYC – isn’t it about time banks apply this well known process to the online channel?
KYC or Know Your Customer is a very familiar term within banking; all aspects, sectors and people involved in banking from local branch employees right to the top dogs. Banks, investment firms, mortgage and loan companies all apply KYC policies, procedures and technologies to ensure they know who they are dealing with to help protect [Read More...]
Why Code Sign?
Internet users constantly run into situations where they need to download software from websites. In many cases, the user was not planning to download software. However, to experience or use the functionality offered by the website, they need to make a spot decision: “Run” or “Don’t Run.” In this case, “run/don’t run” questions [Read More...]
APT and Layered Authentication
I was recently speaking with someone about their infrastructure and an issue they were addressing. Their infrastructure is based around Active Directory. It is a standard implementation that uses AD to identify end entities, grant privilege and to push policy. The issue is that they are faced with an Advanced Persistent Threat against this existing [Read More...]
What is PIV-I?
I have been involved with credentialing in the Federal Government for many years, coming on multiple decades to be honest, and it has been an interesting ride. Over the last few years there has been a substantial change, starting with the signing of HSPD-12 in 2004. What HSPD-12 did was to codify credential issuance within the Federal Government. HSPD-12 brought in not just [Read More...]
Although this is the Entrust Insight SSL Blog, Entrust Certificate Services issues other types of certificates such as Code Signing, Adobe CDS and Client S/MIME. The purpose of this post is to kick off a series on Code Signing. When the series is completed, this post can be used as an index to all other [Read More...]
Are The Tides Finally Turning? Banks will need to step up fraud controls
Last week, I blogged about the unfortunate court ruling on an online bank fraud case that sided with Ocean Bank indicating that had deployed commercially reasonable security controls and their customer – Patco Construction – was ultimately responsible for the fraud since they had agreed to the banks security measures when they signed their contract. For more [Read More...]
Mobile as a Credential
I recently read an interesting article from Avisian – “Mobile as a Credential” by Zack Martin. The article definitely hit home, as it directly relates to what we have been researching and building at Entrust. The article comes at an interesting time, as we just launched IdentityGuard 10 & I conducted a joint webcast with [Read More...]