Firefox to Block Mixed Content
Website owners who have mixed-content pages will surely be impacted and should make changes. Along with Firefox, Internet Explorer, Chrome and Opera already block mixed content. This means the users of the site will get trust warnings or the browser’s security indication (i.e., lock icon) may not be present.
Should You Use SHA-2?
A common question we receive from certificate customers: should we ask Entrust to sign our certificate with a signature using the SHA-2 hashing algorithm?
HTTPS Everywhere 3.0
The Electronic Frontier Foundation (EFF) has released HTTPS Everywhere 3.0.
Stopping CRIME Attacks
This article by Dan Goodin appears to cover the most facts about the CRIME attack on SSL/TLS. It answers my first question about what the acronym means; CRIME is short for “Compression Ratio Info-Leak Made Easy.” It also confirms the attack is performed when the communication uses TLS compression. My understanding is that TLS compression [Read More...]
Speculation on CRIME
The SSL industry is waiting for the Ekoparty Security Conference next week to find out more details on the CRIME SSL/TLS attack. Speculation by SSL/TLS experts? The attack is based on TLS compression. Thomas Pornin made this post on IT Security of his guesses on how compression could be used in an attack. This also [Read More...]
CRIME Attack on SSL/TLS
The security researchers who brought us BEAST now have a new SSL/TLS attack: CRIME. I would like to know what the acronym CRIME stands for, but we’ll probably have to wait until Juliano Rizzo and Thai Duong present their work at Ekoparty Security Conference later this month. Little information about the attack has been published. [Read More...]
Firefox’s Lock Icon is Back
I’m a little late with this blog item. Maybe it was because it was a great summer or maybe it’s because I don’t use Firefox or maybe it’s because … Firefox 14.0 released in June 2012 and the SSL lock symbol is back. I wrote a blog last year where the beta of Firefox 4.0 [Read More...]
HTTP Strict Transport Security (HSTS) will soon be finalized and available in an IETF standard. The request for comment (RFC) is at version 11 and the IESG has put out a last call for comments. HSTS is a security policy mechanism where a Web server tells a supporting browser that it can only connect to [Read More...]
Google Rethinks Revocation
Google has decided in Chrome that they’re going to take a different approach to certificate revocation. Chrome developer Adam Langley describes the decision in detail in his blog, Imperial Violet. Unlike a number of CAs, we think this is a pretty good idea, even if incompletely executed so far. Revocation is a difficult task. It [Read More...]
Don’t fear the BEAST
A few weeks ago, Juliano Rizzo and Thai Duong published a paper on an SSL attack that they call BEAST, which decrypts parts of an SSL connection. Before I discuss it at length, let me cut to the chase on it. Q: Is this something that you need to worry about? A: No. Here’s a [Read More...]