Tag Archives: Public Key Pinning

Certificate Reputation

March 10, 2014 by Bruce Morton     No Comments

One of the advantages of the SSL industry is that certificates can be issued from most trusted certification authorities (CAs). This allows certificate customers flexibility in choosing their CA or deciding to use a number of CAs. The disadvantage is the end-user does not know if the CA was authorized to issue the certificate and [Read More...]

2014 – Looking Back, Moving Forward

March 3, 2014 by Bruce Morton     1 Comment

Looking Back at 2013 Protocol Attacks The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4. [Read More...]

Bogus SSL Certificates

February 16, 2014 by Bruce Morton     No Comments

Netcraft has published an article stating they have found many bogus SSL certificates. In this case, a bogus certificate is self-signed (i.e., not issued from a legitimate certification authority) and replicates an SSL certificate of a large, popular website. This type of bogus SSL certificate could be used for a man-in-the-middle (MITM) attack. In this [Read More...]

Filed Under: Digital Certificates, SSL Tagged With: MITM, Public Key Pinning, SSL

Public Key Pinning

September 6, 2013 by Bruce Morton     3 Comments

This post was originally published on the CA Security Council blog. The current browser-certification authority (CA) trust model allows a website owner to obtain its SSL certificate from any one of a number of CAs. That flexibility also means that a certificate mis-issued by a CA other than the authorized CA chosen by the website owner, [Read More...]

Filed Under: General, SSL, SSL Deployment Tagged With:

Some Comments on Web Security

June 14, 2013 by Bruce Morton     No Comments

Web security is a topic important to health and viability of the internet. It is crucial for privacy, integrity and authenticity of sites and users alike.

Public Key Pinning Extension for HTTP

January 21, 2013 by Bruce Morton     No Comments

In 2011, Google added public key pinning to Chrome. They white-listed the certification authority public keys that could be used to secure Google domains.

TURKTRUST Unauthorized CA Certificates

January 4, 2013 by Bruce Morton     No Comments

Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.

Public Key Pinning

May 26, 2011 by Bruce Morton     No Comments

In the wake of the Comodo attack, the Internet industry is looking for ways to mitigate similar attacks in the future. Public key pinning may prove to be effective. Google has developed the public key pinning concept that will debut in Chrome version 13 for most Google Internet properties (e.g., https://www.google.com). Public key pinning means [Read More...]

Filed Under: Secure Browsing, SSL, Technical Tagged With: HSTS, Public Key Pinning