Tag Archives: HSTS

2014 – Looking Back, Moving Forward

March 3, 2014 by Bruce Morton     1 Comment

Looking Back at 2013 Protocol Attacks The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4. [Read More...]

Always-On SSL

February 6, 2014 by Bruce Morton     2 Comments

Always-On SSL is an approach to securing your website to mitigate attacks against your users. When I think of Always-On SSL, I think of three concepts: SSL across your entire site, SSL deployed to the best practices, and SSL with leading technology. SSL across Your Entire Site The approach to Always-On SSL is to avoid [Read More...]

Filed Under: EV SSL, SSL, SSL Deployment Tagged With: EV SSL, HSTS, OCSP stapling

IETF 88 – Pervasive Surveillance

December 2, 2013 by Bruce Morton     No Comments

This post was originally published on the CA Security Council blog. Internet Surveillance The big news at IETF 88 in Vancouver was the technical plenary on Hardening the Internet which discussed the issue of pervasive surveillance. Pervasive surveillance is a mass surveillance of an entire or a substantial fraction of a population. The surveillance is usually [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: HSTS, IETF, perfect forward secrecy

HSTS RFC Finalized

November 21, 2012 by Bruce Morton     1 Comment

HTTP Strict Transport Security (HSTS) has been finalized and published as RFC 6797. The purpose of HSTS is to allow a website to declare to complying users’ agents that they should interact with it using a secure connection such as HTTPS. In order to implement HSTS, a website must have a statement in its header, such [Read More...]

Living with HTTPS

July 20, 2012 by Bruce Morton     No Comments

Here is a post by Adam Langley, a transport security person at Google. These were his notes before a talk that he did at HOPE9 last week. HOPE stands for Hackers on planet Earth. Adam’s talk does not focus on CAs and certificates. His notes deal with HTTPS issues and he really pushes for the [Read More...]

Filed Under: SSL Deployment Tagged With: Google, HOPE, HSTS

HSTS Update

July 16, 2012 by Bruce Morton     No Comments

HTTP Strict Transport Security (HSTS) will soon be finalized and available in an IETF standard. The request for comment (RFC) is at version 11 and the IESG has put out a last call for comments. HSTS is a security policy mechanism where a Web server tells a supporting browser that it can only connect to [Read More...]

SSL/TLS Deployment Best Practices

July 3, 2012 by Bruce Morton     No Comments

SSL Labs has created an SSL/TLS Deployment Best Practices guide. The guide contains valuable information on how to deploy SSL in your environment. The data from SSL Pulse shows us there are plenty of SSL implementations that could be executed more securely. These problems are not from the CA, the certificate, the browser or the [Read More...]

Public Key Pinning

May 26, 2011 by Bruce Morton     No Comments

In the wake of the Comodo attack, the Internet industry is looking for ways to mitigate similar attacks in the future. Public key pinning may prove to be effective. Google has developed the public key pinning concept that will debut in Chrome version 13 for most Google Internet properties (e.g., https://www.google.com). Public key pinning means [Read More...]

Filed Under: Secure Browsing, SSL, Technical Tagged With: HSTS, Public Key Pinning

How to Deploy HTTPS Correctly

December 5, 2010 by Bruce Morton     No Comments

I came across ‘How to Deploy HTTPS Correctly’ written by Chris Palmer of the Electronic Frontier Foundation. Chris does a great job  explaining why web site operators should use HTTPS versus just HTTP. He points out a couple of good practices that were not previously addressed in my blog post, ‘SSL Deployment Mistakes’: Scope sensitive [Read More...]

Filed Under: SSL Deployment Tagged With: HTTPS, STS

HTTP Strict Transport Security (HSTS)

November 26, 2010 by Bruce Morton     No Comments

I recently blogged about Firesheep, the Firefox extension that can be used to compromise a secure connection to a website that you have connected to from an open Wi-Fi hotspot. The truth is the vulnerability that Firesheep exposes is not new, but little was done about it. Not so anymore, help is on the way. [Read More...]

Filed Under: Secure Browsing, SSL Deployment Tagged With: Firefox, Firesheep, HSTS