What the ICANN SSAC Report Doesn’t Tell You

Posted by on March 22, 2013 0 comments

The CA Security Council, which comprises seven of the largest CAs, read with interest the article titled, “Internal-use SSL certificates pose security risk for upcoming domain extensions.” As a group in one of the best positions to understand the impact of the new gTLDs on organizational security infrastructure and the Internet as a whole, we felt it appropriate to comment on this and related stories which summarize the ICANN Security and Stability Advisory Committee (SSAC) report sac 045 Invalid Top Level Domain Queries at the Root Level of the Domain Name System. Although we...

Read More

IETF 86 – Web PKI Working Group

Posted by on March 21, 2013 0 comments

At the IETF 86 meeting in Orlando last week, there was a working group meeting discussing the operations of the Web PKI. At the previous IETF 85 meeting a birds-of-a-feather was held to discuss the purpose of having such a group. The result of the meeting was an established group with the charter that states purposes such as: Working group will work to improve the consistency of Web security behavior Address problems as seen by the end-users, certificate holders and CAs Describe how the Web PKI actually works Prepare documented deliverables as discussed below The meeting discussed the...

Read More

All You Need to Know About the RC4 Encryption Scheme

Posted by on March 14, 2013 0 comments

The latest published attacks target specific algorithms used within SSL/TLS. Those algorithms are used when a client connects to a server via SSL/TLS; they’re not used when a Certificate Authority signs a certificate. The attacks demonstrate potential weaknesses in the use of the algorithms. While interesting, the attacks don’t represent an immediate practical threat to users of SSL/TLS (including online banking, e-commerce, social networking, etc.). Such attacks require an attacker to run malicious software on a user’s computer which would connect to a particular web site...

Read More

The Importance of Revocation Checking Part 2: A Real World Example

Posted by on March 11, 2013 0 comments

Just last week, a new security incident related to certificate revocation checking made headlines. It was discovered that a legitimate website was hosting a malicious Java application that installed malware on the computers of people who visited the site. This comes after recent updates that introduced Security Level settings in Java, and then raised the default from Medium to High. At the high level, users are shown a warning before any unsigned Java code is executed. Unfortunately, this recent incident exposed a method that allows an attacker to bypass the warning. Java supports the use of...

Read More

The Importance of Checking for Certificate Revocation

Posted by on March 8, 2013 0 comments

Certificates are typically valid for one to three years, and during that time it’s possible that the web site owner or the CA realizes that end users should not trust the certificate. There are several cases in which this might happen, including these: The web site owner ceases doing business, no longer owns the domain name used in the certificate, has changed their organization name, or wishes to shut down the web server. The subscriber learns that an unauthorized party has gained access to the private key associated with the public key in the certificate. The CA learns that errors...

Read More