Over the last few years, we’ve witnessed publicly trusted SSL certificates issued to domain names that were not authorized. These miss-issuances are typically caused by attackers or simply a mistake by a certification authority (CA). Miss-issuance has been detected in a brute-force manner. Typically, when someone discovers a suspicious issue, they may report it and it may be investigated. Eventually,
With the announcement of the Heartbleed bug and the resulting need to revoke large numbers of SSL certificates, the topic of certificate revocation has, once again, come to the fore. What are the issues with how revocation information is provided to the browsers? Entrust's Bruce Morton offers a detailed look.