Entrust’s monthly SSL review discussions — and likely other digital certificates — recaps news, trends and opinions from the industry.
Entrust and CA Security Council
Entrust Identity ON discussed:
- Do You Need SHA-2 Signed Root Certificates?
- OpenSSL Heartbleed Bug
- Heartbleed & OpenSSL – Do End-Users Need to Change Their Passwords?
- NIST Reconsiders Support for Suspect Algorithm
CA Security Council discussed:
- Reducing the Impact of Government Spying
- Heartbleed Bug Vulnerability: Discovery, Impact and Solution
- Perfect Forward Secrecy
- Revocation – A Cure For the Common Heartbleed
- Heartbleed Google Hangout
Hot Topics & Opinions
Heartbleed … there were many posts on the Heartbleed bug and how it affected OpenSSL implementations. Here’s a sample.
- The Heartbleed Bug
- National Vulnerability Database CVE-2014-0160
- Matthew Green’s thoughts Attack of the week: OpenSSL Heartbleed
- Bruce Schneier on Heartbleed, “On a scale of 1 to 10, this is an 11”; and further more…
- Dan Kaminsky agrees that OpenSSL is critical infrastructure
- Bloomberg says NSA knew about Heartbleed for two years
- CloudFlare tries to get private SSL keys
- Maybe OpenSSL can be replaced by LibreSSL or properly funded by the Linux Foundation
Revocation … as a result of Heartbleed, there is much discussion about certificate revocation.
- Netcraft states Chrome users are oblivious to revocation, Why browsers remain affected by Heartbleed and Why aren’t certificates being revoked?
- Adam Langley says Don’t enable revocation checkingand Revocation still doesn’t work
- Steve Gibson at GRC does a great certificate revocation overview which includes a Revocation Awareness Test, commentary on OCSP Must-StapleandChrome CRLSets
- Larry Seltzer says, Chrome does certificate revocation betterand acknowledges the Langley/Gibson certificate revocation controversy
Always-On SSL …
- Yahoo updates encryption and implements best practices such as TLS 1.2, Perfect Forward Secrecy, and 2048-bit RSA keys
- Microsoft tells EFF that it will support HSTS in IE12
- It’s Time to Encrypt the Entire Internet
News & Notes
- Universities of Texas and California wrote a paper called Using Frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations
- TrustyCon 2014 New Frontiers in Cryptography presentation has Chris Palmer discussing Certificate Transparency
- NIST has issued the SHA-3 standard
- WebTrust releases updated audit criteria for Extended Validation and Baseline Requirements for SSL certificates
- Ivan Ristić updated Bulletproof SSL and TLS
- Matthew Green tells us about the Apple Triple Handshake (3Shake)
- Google speeds up and strengths HTTPS connections for Chrome on Android
- Mozilla is trying to improve Certificate Verification with a $10,000 Security Bug bounty. The changes will be in Firefox 31.