SSL News from Black Hat and DEF CON

Bruce Morton

I like to follow up each year with the SSL news from Black Hat USA and DEF CON 20. I was just looking for my 2011 follow-up and found out that I never released it. Unfortunately, I started the write up just before the DigiNotar fiasco and never finished it.

So what SSL presentations occurred in 2012? Nothing. Well, at least none that my reporters told me about as I didn’t actually attend either conference.

On the other hand, the SSL industry has not been idle since 2011. The attacks on Comodo and Vasco/DigiNotar highlighted some vulnerabilities. There were also known certificate management issues as there was no standard for the issuance of non-EV SSL certificates. As a result, the following happened:

  • Browser vendors such as Microsoft and Mozilla increased the requirements of their certificate policies
  • The CA/Browser Forum released the Baseline Requirements for all publicly-trusted SSL certificates
  • Most CAs became compliant to the Baseline Requirements by the target date of July 1, 2012
  • The CA/Browser Forum released Network and Certificate System Security Requirements

Just to be complete, the 2011 shows had three topics about SSL:

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation