About

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Blog Posts 1-10 of 136

OpenSSL Heartbleed Bug

April 8, 2014 by Bruce Morton     9 Comments

A new threat called the Heartbleed Bug has just been reported by some researchers at Codenomicon and Google. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private [Read More...]

Filed Under:
Tagged With:

Do You Need SHA-2 Signed Root Certificates?

April 4, 2014 by Bruce Morton     No Comments

We have discussed the SHA-1 deprecation policy and why you should move to SHA-2. The certification authorities (CAs) have provided methods to have your certificates issued and signed using a SHA-2 hashing algorithm. As we move ahead, you will see the CAs changing the default signing algorithm from SHA-1 to SHA-2. It’d be sound strategy [Read More...]

Filed Under:
Tagged With:

SSL Review: March 2014, part 2

April 2, 2014 by Bruce Morton     No Comments

Entrust’s monthly review of SSL discussions — and likely other digital certificates — recaps news, trends and opinions from the industry. Entrust and CA Security Council Entrust Identity ON discussed: 2014 – Looking Back, Moving Forward Elliptic-Curve Cryptography, Simplified Who will Control ICANN? Your Audit Report has Expired CA Security Council discussed: Think Twice Before [Read More...]

Your Audit Report has Expired

March 27, 2014 by Bruce Morton     No Comments

Here is an interesting theme of questions we receive all the time. Why has your CA audit report expired? Or, when will your audit report be brought up to date? The answer? The audit report is up to date and a new audit report will be provided within three months of the end of the [Read More...]

Filed Under:
Tagged With:

Who Will Control ICANN?

March 24, 2014 by Bruce Morton     No Comments

Internet Corporation for Assigned Names and Numbers (ICANN) manages domain names for websites and email servers. To date, ICANN has been controlled by the U.S Department of Commerce; however, the contract will expire in September 2015. The U.S Department of Commerce has always overseen ICANN, but generally “rubber stamps” their approach. This matches the thought [Read More...]

Filed Under:
Tagged With:

SSL Review: March 2014

March 13, 2014 by Bruce Morton     No Comments

Here is a monthly SSL review of discussions about SSL (and possibly other digital certificates) from the last month. Entrust Identity ON discussed the following: Always-ON SSL Moving to TLS 1.2 Bogus SSL Certificates OCSP Stapling Apple SSL Bug CA Security Council discussed the following: Always-On SSL, Part II Ten Steps to Take If Your [Read More...]

Certificate Reputation

March 10, 2014 by Bruce Morton     No Comments

One of the advantages of the SSL industry is that certificates can be issued from most trusted certification authorities (CAs). This allows certificate customers flexibility in choosing their CA or deciding to use a number of CAs. The disadvantage is the end-user does not know if the CA was authorized to issue the certificate and [Read More...]

2014 – Looking Back, Moving Forward

March 3, 2014 by Bruce Morton     1 Comment

Looking Back at 2013 Protocol Attacks The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4. [Read More...]

Apple SSL Bug: Test Your Vulnerability, Fix Available Soon

February 24, 2014 by Bruce Morton     No Comments

On Friday, Feb. 21, Apple issued a security bulletin for iOS 7.0.6. There was not much detail in the bulletin, but it did state that the impact was “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” The problem is the result of a coding error where [Read More...]

OCSP Stapling

February 24, 2014 by Bruce Morton     1 Comment

Digital certificate status is provided by the certificate revocation list (CRL) and online certificate status protocol (OCSP). The CRL is a list of all certificates that have been revoked. If the serial number is not on the list it is assumed to be good. OCSP provides a response for all certificates. In layman’s terms, the [Read More...]

Filed Under:
Tagged With: