SSL Review: March 2014
Here is a monthly SSL review of discussions about SSL (and possibly other digital certificates) from the last month. Entrust Identity ON discussed the following: Always-ON SSL Moving to TLS 1.2 Bogus SSL Certificates OCSP Stapling Apple SSL Bug CA Security Council discussed the following: Always-On SSL, Part II Ten Steps to Take If Your [Read More...]
Apple SSL Bug: Test Your Vulnerability, Fix Available Soon
On Friday, Feb. 21, Apple issued a security bulletin for iOS 7.0.6. There was not much detail in the bulletin, but it did state that the impact was “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” The problem is the result of a coding error where [Read More...]
Network and Desktop Operating Systems Have Too Much Trust
This entry is part 1 of 3 in the series Identity Context: Defense’s Next Play Part One: Network and Desktop Operating Systems Have Too Much Trust At Black Hat 2012, John Flynn showed a slide with the text, “The kids these days, they’re hacking the system as a whole.” There is a wide assumption that [Read More...]
Can You Spot a Phishing Email?
This holiday season, buyers everywhere will flock to the Internet to rack up savings on deals and avoid the hassles of shopping in malls and department stores. Unfortunately, shopping online without using caution can lead to great headaches due to the prevalence of criminal activity. One of the most devastating identity theft techniques comes in [Read More...]
Top 10 Holiday Scams to Steer Clear of this Season – Part 2
This is Part 2 of a two-part series. To read the first post, click here. Top 10 Holiday Scams to Steer Clear of this Season 6. Order shipment notification When doing your holiday shopping, always make sure that the email notification confirming your order shipment is directly tied to the official company of which you [Read More...]
Chrome Shows SSL Warning for Non-FQDNs
Entrust completed an internal test recently and was surprised by a warning from Google Chrome version 30. The test case has a Web server with a non-fully registered domain name (non-FQDN) and an SSL certificate from a publicly trusted certification authority (CA). The Chrome browser put an ‘X’ through the lock icon and a cross [Read More...]
How is Your Browser Performing?
We always discuss SSL deployment best practices. These are the actions the Web server administrator takes. These are important to discuss, because the actions on the few million Web servers will increase the functionality and security of the billions of browser users. However, there are two ends to the SSL connection and there is little [Read More...]
Some Comments on Web Security
Web security is a topic important to health and viability of the internet. It is crucial for privacy, integrity and authenticity of sites and users alike.
CAs Support Standards and Regulations
There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.
Firefox to Block Mixed Content
Website owners who have mixed-content pages will surely be impacted and should make changes. Along with Firefox, Internet Explorer, Chrome and Opera already block mixed content. This means the users of the site will get trust warnings or the browser’s security indication (i.e., lock icon) may not be present.