Some Comments on Web Security
Web security is a topic important to health and viability of the internet. It is crucial for privacy, integrity and authenticity of sites and users alike.
Public Key Pinning Extension for HTTP
In 2011, Google added public key pinning to Chrome. They white-listed the certification authority public keys that could be used to secure Google domains.
SSL News from Black Hat and DEF CON
I like to follow up each year with the SSL news from Black Hat USA and DEF CON 20. I was just looking for my 2011 follow-up and found out that I never released it. Unfortunately, I started the write up just before the DigiNotar fiasco and never finished it. So what SSL presentations occurred [Read More...]
What is TACK?
Two researchers have prepared a draft standard for the Internet Engineering Task Force to help extend the trust of SSL certificates. The approach is Trust Assertions for Certificate Keys, or TACK, and was prepared by Trevor Perrin and Moxie Marlinspike. TACK is an SSL extension that enables a Web server to assert the authenticity of [Read More...]
Dutch Government: PKI alternatives, replacements not on horizon
In July 2011, Dutch certification authority (CA) DigiNotar experienced a security incident that affected the national security infrastructure of both governmental and non-governmental bodies in the Netherlands. The government commissioned a report looking into the incident and the broader CA/SSL market. One of the conclusions of the Dutch government’s report is that alternatives to PKI [Read More...]
VASCO/DigiNotar – the Entrust Perspective
So what happened? DigiNotar, a publicly trusted Certification Authority based in the Netherlands and a wholly owned subsidiary of VASCO, was compromised in July 2011. This compromise came to light in late August with the discovery of a fraudulent SSL certificate issued to *.google.com. The browser community took immediate steps to disable the DigiNotar root [Read More...]