One of the advantages of the SSL industry is that certificates can be issued from most trusted certification authorities (CAs). This allows certificate customers flexibility in choosing their CA or deciding to use a number of CAs. The disadvantage is the end-user does not know if the CA was authorized to issue the certificate and [Read More...]
2014 – Looking Back, Moving Forward
Looking Back at 2013 Protocol Attacks The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4. [Read More...]
Bogus SSL Certificates
Netcraft has published an article stating they have found many bogus SSL certificates. In this case, a bogus certificate is self-signed (i.e., not issued from a legitimate certification authority) and replicates an SSL certificate of a large, popular website. This type of bogus SSL certificate could be used for a man-in-the-middle (MITM) attack. In this [Read More...]
Public Key Pinning
This post was originally published on the CA Security Council blog. The current browser-certification authority (CA) trust model allows a website owner to obtain its SSL certificate from any one of a number of CAs. That flexibility also means that a certificate mis-issued by a CA other than the authorized CA chosen by the website owner, [Read More...]
Some Comments on Web Security
Web security is a topic important to health and viability of the internet. It is crucial for privacy, integrity and authenticity of sites and users alike.
Public Key Pinning Extension for HTTP
In 2011, Google added public key pinning to Chrome. They white-listed the certification authority public keys that could be used to secure Google domains.
TURKTRUST Unauthorized CA Certificates
Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.
Public Key Pinning
In the wake of the Comodo attack, the Internet industry is looking for ways to mitigate similar attacks in the future. Public key pinning may prove to be effective. Google has developed the public key pinning concept that will debut in Chrome version 13 for most Google Internet properties (e.g., https://www.google.com). Public key pinning means [Read More...]