Category Archives: SSL Deployment

Entrust OpenSSL Disclosure

April 14, 2014 by Entrust, Inc.     No Comments

With news of the Heartbleed bug, we have been receiving questions as to how this impacts the certification authority (CA) service at Entrust. In summary, Entrust SSL customers do not need to be concerned about the management of their certificates or their certificate management accounts. The CA private keys are protected on a NIST FIPS [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: OpenSSL, SSL

Heartbleed & OpenSSL — Do End-Users Need to Change Their Passwords?

April 10, 2014 by Entrust, Inc.     No Comments

The discovery of the Heartbleed implementation bug that could attack certain version of OpenSSL has, rightfully, made global headlines. While this vulnerability doesn’t affect the certificates issued by trusted certification authorities (CA), the discovery has set end-users into a bit of “password panic.” The crux of the issue is that services providers, website operators, software [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: heartbleed, OpenSSL, SSL

OpenSSL Heartbleed Bug

April 8, 2014 by Bruce Morton     9 Comments

A new threat called the Heartbleed Bug has just been reported by some researchers at Codenomicon and Google. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: Apache, heartbleed, NGINX

Do You Need SHA-2 Signed Root Certificates?

April 4, 2014 by Bruce Morton     No Comments

We have discussed the SHA-1 deprecation policy and why you should move to SHA-2. The certification authorities (CAs) have provided methods to have your certificates issued and signed using a SHA-2 hashing algorithm. As we move ahead, you will see the CAs changing the default signing algorithm from SHA-1 to SHA-2. It’d be sound strategy [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: root certificates, SHA-1, SHA-2

SSL Review: March 2014

March 13, 2014 by Bruce Morton     No Comments

Here is a monthly SSL review of discussions about SSL (and possibly other digital certificates) from the last month. Entrust Identity ON discussed the following: Always-ON SSL Moving to TLS 1.2 Bogus SSL Certificates OCSP Stapling Apple SSL Bug CA Security Council discussed the following: Always-On SSL, Part II Ten Steps to Take If Your [Read More...]

Filed Under: Secure Browsing, SSL, SSL Deployment Tagged With: Apple, OCSP, SSL

Certificate Reputation

March 10, 2014 by Bruce Morton     No Comments

One of the advantages of the SSL industry is that certificates can be issued from most trusted certification authorities (CAs). This allows certificate customers flexibility in choosing their CA or deciding to use a number of CAs. The disadvantage is the end-user does not know if the CA was authorized to issue the certificate and [Read More...]

2014 – Looking Back, Moving Forward

March 3, 2014 by Bruce Morton     1 Comment

Looking Back at 2013 Protocol Attacks The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4. [Read More...]

Apple SSL Bug: Test Your Vulnerability, Fix Available Soon

February 24, 2014 by Bruce Morton     No Comments

On Friday, Feb. 21, Apple issued a security bulletin for iOS 7.0.6. There was not much detail in the bulletin, but it did state that the impact was “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” The problem is the result of a coding error where [Read More...]

Filed Under: Secure Browsing, SSL, SSL Deployment Tagged With: goto fail, iOS, OS X

OCSP Stapling

February 24, 2014 by Bruce Morton     1 Comment

Digital certificate status is provided by the certificate revocation list (CRL) and online certificate status protocol (OCSP). The CRL is a list of all certificates that have been revoked. If the serial number is not on the list it is assumed to be good. OCSP provides a response for all certificates. In layman’s terms, the [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: OCSP, OCSP stapling, RFC 5019

Moving to TLS 1.2

February 10, 2014 by Bruce Morton     No Comments

In 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol. Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: CBC, How's My SSL, Microsoft