Entrust’s monthly review of SSL discussions — and likely other digital certificates — recaps news, trends and opinions from the industry.
Entrust and CA Security Council
Entrust Identity ON discussed:
- 2014 – Looking Back, Moving Forward
- Elliptic-Curve Cryptography, Simplified
- Who will Control ICANN?
- Your Audit Report has Expired
CA Security Council discussed:
- Think Twice Before Using DV for E-Commerce
- New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
- When to Choose an Extended Validation Certificate
- Certificate Reputation is a Microsoft-proposed solution to improve the trustworthiness of certificates.
Hot Topics & Opinions
Always-On SSL … although the term is not necessarily used, the Always-On SSL philosophy is being promoted:
- eWeek posts a reference to Always-On SSL.
- Edward Snowden promotes Always-On SSL when saying “enable web encryption on every page you visit.”
- LinkedIn provides setting for HTTPS and is looking to make HTTPS the default.
- A 10-point plan to keep NSA out of our data includes Always-On SSL and advanced topics such as HSTS and perfect forward secrecy.
- Google has made Gmail available by HTTPS-only.
- Should new web features be HTTPS only?
- Computerworld author gets negative feedback when he states “Google’s decision to force all Gmail subscribers to use HTTPS encryption goes too far.”
- David Hamilton says, “To build trust online, SSL certificates are still the starting point.”
- Google has set a plan to have Certificate Transparency deployed for EV certificates by February 1, 2015.
- With Certificate Transparency deployment, all EV SSL certificates will be publicly logged which is creating a privacy concern. Brad Hill challenges the privacy issue.
Ivan Ristić … drafted blog posts on the following:
- Updates to his book Bulletproof SSL/TLS and PKI, which website operators should consider purchasing.
- Advises how to build your own test for Apple’s TLS authentication bug.
- Significant SSL/TLS improvements in Java 8.
- HTTPS mixed content: still the easiest way to break SSL.
News & Notes
- In February, Apple issued an iOS Security White Paper. This paper shows how serious Apple is to make iOS devices secure and has been reviewed by some information providers such as NetworkWorld.
- ImperialViolet reviews a low risk attack called TLS Triple Handshakes.
- Windows PKI blog discusses certificate constraints and how they are used.
- GnuTLS, an alternative to OpenSSL, released an upgrade to mitigate a vulnerability which would support a Man-In-The-Middle (MITM) attack.
- UC Berkley and Intel Labs released a paper called I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis.
- WhatsApp has SSL problems such as non-support for pinning and support for null ciphers.
- Nearly three years after it closed, hackers are still trying to use DigiNotar’s certificates.
- EFF has recommendations for website operators who wish to protect their users from man-in-the-middle (MITM) attacks such as deploy HTTPS, secure HTTP cookies, support perfect forward secrecy and use public key pinning.
- Mark Nottingham writes about trying out TLS for HTTP://URLs.
- First tweet website suffers security issues.
- Leibniz University Hannover and University of Bonn perform study which recommends removal of roots that are not used to sign certificates.