Bruce Morton
Director for Certificate Services
CA/Browser Forum Updates Requirements for Code Signing Certi...
The CA/Browser Forum has approved Ballot CSC-13 and has updated the effective date with Ballot…
SSL Review: August 2022
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: July 2022
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: June 2022
The Entrust monthly SSL review covers TLS/SSL discussions — recaps news, trends, and opinions from…
SSL Review: April & May 2022
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
Timestamp Requests and SHA-1 Deprecation
Entrust hosts a time-stamp authority (TSA) to support our customers who digitally sign data such…
SSL Review: March 2022
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends, and opinions from…
SSL Review: February 2022
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends, and opinions from…
SSL Review: January 2022
The Entrust monthly SSL review covers SSL/TLS discussions – recaps news, trends, and opinions from…
SSL Review: December 2021
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends, and opinions from…
Apple Changes S/MIME Certificate Validity Period to 1185-Day...
In November 2021, we posted that Apple set the validity period of S/MIME certificates to…
2022 – Looking Back, Moving Forward with TLS
Looking back at 2021 In 2021, HTTPS was everywhere and use of the TLS 1.3…
New Requirement Will Deprecate the Organization Unit (OU) Fi...
In June 2021, the CA/Browser Forum passed ballot SC47 to remove the organization unit (OU)…
SSL Review: November 2021
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
Apple Reduces S/MIME Certificate Validity Period to 825-Days
At the October 2021 CA/Browser virtual face-to-face conference, Apple advised of updates to their root…
Wildcard and multi-domain TLS certificates and ALPACA attack
Marcus Brinkmann presented the Application Layer Protocol Confusion-Analyzing and Mitigating Cracks in TLS Authentication (ALPACA)…
SSL Review: October 2021
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: September 2021
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: August 2021
The Entrust monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: July 2021
The Entrust monthly SSL review covers TLS/SSL discussions – recaps, news, trends, and opinions from…
SSL Review: June 2021
The Entrust monthly SSL review covers TLS/SSL discussions – recaps news, trends, and opinions from…
SSL Review May 2021
The Entrust monthly SSL review covers SSL/TLS discussions – recaps news, trends, and opinions from…
SSL Review: April 2021
The Entrust monthly SSL review covers SSL/TLS discussions – recaps news, trends, and opinions from…
SSL Review: March 2021
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
SSL Review: February 2021
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
SSL Review: January 2021
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
Code Signing Baseline Requirements Oblige Larger Keys for Cr...
Signing certificates are used to validate a signature on code or a document. As we…
SSL Review: December 2020
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
Looking Back at 2020
2020 felt more like a maintenance year in the SSL/TLS ecosystem. Other than the certificate…
SSL Review: November 2020
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
SSL Review: October 2020
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
SSL Review: September 2020
Entrust’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from the…
TLS Protocol 1.2 Vulnerable to Raccoon Attack
Recently, a team of researchers discovered a vulnerability with all versions of the SSL and…
SSL Review: August 2020
Entrust’s monthly SSL review covers SSL/TLS discussions – recaps news, trends, and opinions from the…
SSL Review: July 2020
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: June 2020
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: April and May 2020
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions – recaps news, trends, and opinions from…
SSL Review: March 2020
Entrust Datacard’s monthly SSL review covers TLS/SSL discussions – recaps news, trends and opinions from…
SSL Review: February 2020
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions – recaps news, trends and opinions from…
Apple Announces 398-day Maximum Certificate Lifetime
At the 49th meeting of the CA/Browser Forum held in February 2020, Apple announced that…
SSL Review: January 2020
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: December 2019
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
SSL Review: November 2019
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
Chrome Kills Mixed Content for HTTPS
In a phased approach, Chrome plans to block mixed content on secure websites to improve…
SSL Review: October 2019
CASC Paul Walsh provides a great blog about The Insecure Elephant in the Room and browser based…
SSL Review: September 2019
October 2019 by
Bruce Morton
Entrust Datacard The Value of EV Certificates Remains Regardless of Changes to the EV Indicator…
SSL Review: August 2019
September 2019 by
Bruce Morton
CASC … 9 Common Myths About CAs Shortening Validity Period of SSL/TLS Certificates … Web…
SSL Review: July 2019
August 2019 by
Bruce Morton
CASC The Advantages of Short-Lived SSL Certificates for the Enterprise Bulletproof TLS Newsletter #55 Kazakhstan…
SSL Review: June 2019
July 2019 by
Bruce Morton
CASC What the Latest Firefox Update Means for SSL Certificates What Are Subordinate CAs and…
SSL Review: May 2019
June 2019 by
Bruce Morton
The Entrust Datacard monthly SSL review covers SSL/TLS discussions with a recap of news, trends…
SSL vs. TLS
Several years ago, I wrote “Is it SSL, TLS or HTTPS?” This was a simple…
SSL Review: April 2019
May 2019 by
Bruce Morton
The Entrust Datacard monthly SSL review covers SSL/TLS discussions with a recap of news, trends…
SSL Review: March 2019
The Entrust Datacard monthly SSL review covers SSL/TLS discussions with a recap of news, trends…
SSL Review: February 2019
March 2019 by
Bruce Morton
Entrust Datacard provides information on TLS 1.3 and phone domain name validation methods: TLS 1.3, Less…
What’s the Difference Between a Public and Private Trust C...
Public and private trust certificates are types of SSL/TLS certificates that are formatted to suit…
IP Address Validation Used for Issuing SSL/TLS Certificates
March 2019 by
Bruce Morton
The CA/Browser Forum continues to update the validation methods used for issuing SSL/TLS certificates to…
Phone Domain Name Validation for SSL Certificates
February 2019 by
Bruce Morton
The CA/Browser Forum continues to improve domain name validation for SSL/TLS certificates. Following new methods…
SSL Review: January 2019
February 2019 by
Bruce Morton
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
TLS 1.3, Less is More
Increases in both performance and security are what can be expected as TLS 1.3 takes…
Introducing Domain Name Validation Method 13
January 2019 by
Bruce Morton
In 2018, the CA/Browser Forum held a domain validation summit to the review the approved domain…
Removal of Underscores from Domain Names
January 2019 by
Bruce Morton
In November 2018, the CA Browser Forum voted to sunset the use of underscore characters in…
SSL Review: December 2018
January 2019 by
Bruce Morton
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
2019 – Looking Back, Moving Forward
Looking Back at 2018 2018 was an active year for SSL/TLS. We saw the SSL/TLS…
What Does Your CAA Say?
January 2019 by
Bruce Morton
Certification Authority Authorization (CAA) is a method for a domain owner to permit one or…
SSL Review: November 2018
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
Major Browsers Coordinated on Deprecating TLS 1.0 and 1.1
November 2018 by
Bruce Morton
In an unprecedented move for the SSL/TLS ecosystem, the four major browsers have uniformly announced…
Domain Validation – Where are We Now?
August 2018 by
Bruce Morton
Public trust SSL/TLS certificates assert an association between a domain name and a public key….
SSL Review: May and June 2018
July 2018 by
Bruce Morton
Entrust Datacard … The tipping point for HTTPS is closing in. Marketers, are you ready?…
SSL Review: March 2018
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
Chrome Will Show Not Secure for all HTTP Sites Starting July...
March 2018 by
Bruce Morton
Through 2017 and into 2018, we have seen the use of HTTPS grow substantially. Last…
Grade Changes to the SSL Server Test – Coming March 20...
February 2018 by
Bruce Morton
Entrust Datacard supports SSL Server Testing as part of our best practices approach to certificate management. This…
Chrome Requires CT after April 2018
February 2018 by
Bruce Morton
The Internet ecosystem has been working towards Chrome’s requirement for certificate transparency (CT) for all…
2018: Looking Back, Moving Forward in SSL
January 2018 by
Bruce Morton
Looking Back at 2017 2017 saw the end of SHA-1 in public trust SSL/TLS certificates…
ROBOT Attack on RSA Encryption
The Return Of Bleichenbacher’s Oracle Threat (ROBOT) attack takes advantage of an old vulnerability discovered by Daniel Bleichenbacher in…
SSL Review: November 2017
December 2017 by
Bruce Morton
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions — recaps news, trends and opinions from…
How Can I Protect My Brand TLD?
November 2017 by
Bruce Morton
Originally, there were just seven generic top level domains (gTLDs) and a couple hundred country code TLDs…
Impact of ROCA on SSL
October 2017 by
Bruce Morton
Return of Coppersmith’s Attack (ROCA) is a vulnerability in the generation of RSA keys used by a…
HTTP Public Key Pinning: No Longer a Good Idea
October 2017 by
Bruce Morton
Public Key Pinning was great idea at first. Google used static public keys to protect…
Coming Soon: More “Not secure” Browser Warnings
September 2017 by
Bruce Morton
Chrome currently issues a “Not secure” browser warning for pages accepting password and/or credit card…
SSL Review: May 2017
Entrust’s monthly SSL review covers SSL/TLS discussions “” recaps news, trends and opinions from the…
Certificate Transparency Deadline Moved to April 2018
May 2017 by
Bruce Morton
Google just announced they will not be enforcing certificate transparency (CT) logging for all new TLS…
SSL Review: March 2017
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions “” recaps news, trends and opinions from…
Bye Bye SHA-1
April 2017 by
Bruce Morton
Entrust Datacard made the decision to stop issuing any type of public trust certificates using…
Maximum Certificate Lifetime Drops to 825-days in 2018
March 2017 by
Bruce Morton
The CA/Browser Forum has taken a progressive step by reducing SSL/TLS certificate lifetimes from 39…
New Mandatory CAA Checking on the Horizon
March 2017 by
Bruce Morton
Certification Authority Authorization (CAA) allows a domain owner to specify in their DNS or DNSSec…
Bad Actors Catalyst Behind New Standards for Code Signing
Code Signing is a cryptographic process to digitally sign executables and scripts. The signature confirms…
2017 Looking Back, Moving Forward
Looking Back at 2016 Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some…
SSL Review: November 2016
Entrust Datacard’s monthly SSL review covers SSL/TLS discussions “” recaps news, trends and opinions from…
Certificate Transparency Deployment in 2017
November 2016 by
Bruce Morton
Google announced the requirement for Certificate Transparency for all new SSL/TLS certificates in October 2017. This…
Why is Certificate Expiration Necessary?
October 2016 by
Bruce Morton
The Long Life Certificate – Why It Doesn’t Exist Why is certificate expiration even necessary?…
Protect Your Domain with CT Search
How would you know if there have been any unauthorized SSL certificates issued for your…
TLS/SSL Comprehensive History
Security is one driving factor in the evolution of technology. Here’s a timeline showing how…
Observatory by Mozilla will Make the Internet a Safer Place
Mozilla has released a new website, Observatory, to help developers, system administrators, and security professionals…
TLS/SSL Comprehensive History
September 2016 by
Bruce Morton
Security is one driving factor in the evolution of technology. Here’s a timeline showing how…
Chrome to Show HTTP Sites as Not Secure
September 2016 by
Bruce Morton
Always-On SSL should be deployed to prevent the “Not secure” warning Website owners who do…
Trust Indication Change in Google Chrome
Google is making security icon changes in the Chrome status bar. The changes are based…
THREAT ALERT: How a SWEET32 Birthday Attack is Deployed and ...
August 2016 by
Bruce Morton
Details surrounding the SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN can…
HEIST Supports BREACH and CRIME Attacks
At Black Hat USA 2016, doctoral candidates Mathy Vanhoef and Tom Van Goethem presented HEIST, an…
Minimum Requirements for Code Signing Certificates
August 2016 by
Bruce Morton
It is time for an update on the Baseline Requirements for Code Signing. First the…
HTTPoxy: Another Reason for HTTPS Everywhere
July 2016 by
Bruce Morton
Emerging vulnerabilities underscore the argument for creating a safer Internet for everyone including domain owners…
SSL Review: May 2016
Entrust’s monthly SSL review covers SSL/TLS discussions “” recaps news, trends and opinions from the…
Do You Need CT for Non-EV Certificates?
June 2016 by
Bruce Morton
We have been receiving some questions about Certificate Transparency. The main question is should non-EV SSL/TLS…
SSL 2.0 and DROWN
A team of researchers has announced a vulnerability with SSL 2.0 called Decrypting RSA with Obsolete and Weakened eNcryption; otherwise known…
Let’s Test Google Chrome’s Security Overview
March 2016 by
Bruce Morton
I probably missed a Google blog, but when I was checking the details of a…
Changes to Support SHA-1 Migration
Entrust provides security beyond the TLS certificate. We are a strong supporter of the CA/Browser…
What’s the Future for SHA-1 and Browser Users as of Ja...
On January 1, 2016, the public trust certification authorities (CAs) will stop issuing SHA-1 signed…
2016 – Looking Back, Moving Forward
Looking Back at 2015 A number of new tactics proved 2015 was no exception to…
SSL Review: November 2015
Entrust’s monthly SSL review covers SSL/TLS discussions “” recaps news, trends and opinions from the…
Keep Moving to SHA-2 — Leading Browsers Fast Track SHA-1 D...
Research indicates that SHA-1 signed SSL/TLS certificates face increasing vulnerabilities forcing leading browsers to reconsider…
Always-On SSL, The President Wants It Too
September 2015 by
Bruce Morton
In June 2015, the US chief information security officer (CIO) issued a memorandum to mandate…
The Value of EV Certificates
August 2015 by
Bruce Morton
I had the opportunity to review a verification issue last week, and it had me…
High Severity Vulnerability Found In OpenSSL
July 2015 by
Bruce Morton
OpenSSL has announced a high severity vulnerability, CVE-2015-1793 which will require an upgrade to some…
What is Server Name Indication?
You have a dilemma. You want to continue to deploy your web service but are…
SSL Review: May 2015
Entrust’s monthly SSL review covers SSL discussions “” recaps news, trends and opinions from the…
New SSL Certificates with New Keys Reduce Vulnerabilities
April 2015 by
Bruce Morton
As of April 1st, 2015, the lifetime of SSL certificates has now been reduced to…
Microsoft Deploys Certificate Reputation
As we have stated previously, website owners have a concern that an attacker can have…
Raising the Benefits of HTTP/2 Security
The approval of HTTP/2 by the Internet Engineering Steering Group (IESG) back in mid-February marked the next…
What Happened with Live.fi?
Comodo issued an SSL certificate for live.fi. The issue is the certificate requester did not…
Private Trust and Proxies
With the news of Superfish, Komodia and PrivDog , there has been some interesting discussion…
What Happened with Live.fi?
March 2015 by
Bruce Morton
Comodo issued an SSL certificate for live.fi. The issue is the certificate requester did not…
20 Years of PKI and Secure Transactions
Almost 20 years ago, the first publicly trusted certification authorities (CAs) began generating their root…
Is Your SSL Server Vulnerable to a FREAK Attack?
FREAK is a new man-in-the-middle (MITM) vulnerability discovered by a group of cryptographers at INRIA, Microsoft…
Update — Chrome 41 Release and SHA-1
When Google Chrome 41 is released, it will treat certificate chains using SHA-1 which are…
2015 – Looking Back, Moving Forward
This post was originally published on the CA Security Council blog. Looking Back at 2014 …
Moving Forward with Certificate Transparency
As we move in 2015, you will start to see Certificate Transparency deployed on EV SSL certificates. Google…
SSL Review: November 2014
December 03, 2014 By Bruce Morton Entrust’s monthly SSL review covers SSL discussions “” recaps…
Infographic: Switching to SHA-2 SSL
In 2005, it was discovered that the secure hash algorithm SHA-1 wasn’t as strong as it was…
Secure Your Website with HSTS
This post was originally published on the CA Security Council blog. Is your website secure?…
Understanding SHA-1 Vulnerabilities “” Is SSL No Lon...
October 2014 by
Bruce Morton
Lately, SSL has come under fire and users may be under the impression that, perhaps,…
Google is Sun-Setting SHA-1 in Upcoming Chrome Releases
Google announced on September 5, 2014, that Chrome will sunset SHA-1 by providing security warnings through the…
Internet of Things – Beware
We are now moving into the deployment of the Internet of Things (IoT). IoT is an…
Monitor Your Domains with Certificate Transparency
July 2014 by
Bruce Morton
Over the last few years, we’ve witnessed publicly trusted SSL certificates issued to domain names…
More Google Fraudulent Certificates
July 2014 by
Bruce Morton
On July 2, Google became aware of fraudulent certificates that were incorrectly issued to Google-owned domain names….
OCSP Must-Staple
This post was originally published by on the CA Security Council blog. With the announcement of…
Moving to TLS 1.2
In 2014, there will be a trend for website owners to implement TLS 1.2 on their servers….
Protect Your Private Keys: Three Easy Steps for Safe Code-Si...
A recent article by the Microsoft malware protection center, “Be a real security pro –…
Java Secures Supply Chains through Code Signing
December 2013 by
Bruce Morton
This post was originally published by Bruce Morton & Erik Costlow on the CA Security Council blog….
IETF 88 – Pervasive Surveillance
December 2013 by
Bruce Morton
This post was originally published on the CA Security Council blog. Internet Surveillance The big news…
Securing Software Distribution with Digital Code Signing
This post was originally published on theCA Security Council blog. Code signing certificates from publicly…
Chrome Shows SSL Warning for Non-FQDNs
Entrust completed an internal test recently and was surprised by a warning from Google Chrome…
How is Your Browser Performing?
October 2013 by
Bruce Morton
We always discuss SSL deployment best practices. These are the actions the Web server administrator takes….
Secure Non-Registered Domains with New Private SSL Certifica...
October 2013 by
Bruce Morton
Are you an SSL certificate owner that has SSL certificates that protect non-registered domains? What…
Do You Have a New gTLD?
October 2013 by
Bruce Morton
The Internet Corporation for Assigned Names and Numbers (ICANN) is currently approving many generic top-level…
Updated SSL/TLS Deployment Best Practices
First, I would like to than Ivan Ristic for his development of the SSL/TLS deployment…
DNS Registrar Vulnerabilities
Watchers of the SSL industry follow SSL protocol attacks such as BEAST, CRIME, Lucky 13 and RC4 closely. They also track…
Public Key Pinning
September 2013 by
Bruce Morton
This post was originally published on the CA Security Council blog. The current browser-certification authority (CA)…
Why Do I Need UC Multi-Domain SSL Certificates?
This certificate is sometimes called unified communications certificate (UCC), multi-domain certificate or multi-SAN certificate. In…
CAs Being Audited to Baseline Requirements
August 2013 by
Bruce Morton
Certification authorities (CA) have always been compliance-minded and have historically imposed third-party audits upon themselves….
Moving to 2048-bit Keys
July 2013 by
Bruce Morton
In the last few months, I have been reading blog posts (e.g., Google and Evernote) about certificate subscribers…
CAs Support Standards and Regulations
May 2013 by
Bruce Morton
This post was originally published on the CA Security Council blog. There is an industry myth…
Could be Problems with New gTLDs
May 2013 by
Bruce Morton
The PayPal information risk management team warns that the introduction of new generic top-level domains, or gTLDs,…
Firefox to Block Mixed Content
Congratulations, Mozilla, on your plan to release Firefox 23 that will block mixed content. Website owners…
SSL Fingerprints
Are your secure SSL communications being compromised by a man-in-the-middle (MITM) attack? This issue came…
RC4, CBC, what the …?
We had the BEAST attack and it was said, “Prioritize RC4 cipher suite.” We had the Lucky Thirteen attack and…
IETF 86 – Web PKI Working Group
March 2013 by
Bruce Morton
At the IETF 86 meeting in Orlando last week, there was a working group meeting…
SSL Certificate Status Checking
As part of its effort to promote SSL certificate best practices, the CA Security Council (CASC) has…
Mozilla Endorses SSL Baseline Requirements
The CA/Browser Forum SSL Baseline Requirements have been endorsed by Mozilla and have been included…
Lights Out: Super Bowl and OCSP
February 2013 by
Bruce Morton
We were monitoring the performance of our OCSP service over the weekend and found an…
What is Time Stamping?
June 2012 by
Bruce Morton
What happens to signed code when the code signing certificate expires? In many cases, an…