Chrome Will Show Not Secure for all HTTP Sites Starting July 2018

Posted by on February 15, 2018 0 comments

Through 2017 and into 2018, we have seen the use of HTTPS grow substantially. Last Fall Google announced the following status: Over 68% of Chrome traffic on both Android and Windows is now protected Over 78% of Chrome traffic on both Chrome OS and Mac is now protected 81 of the top 100 sites on the web use HTTPS by default Google helped to drive this growth by implementing the “Secure” and “Not secure” status in Chrome’s status bar. “Secure” was provided for HTTPS sites. “Not secure” was implemented progressively, first resulting for HTTP pages requiring a password or...

Read More

2018 – Looking Back, Moving Forward

Posted by on January 6, 2018 0 comments

Looking Back at 2017 2017 saw the end of SHA-1 in public trust SSL/TLS certificates and the start of Certification Authority Authorization (CAA) allowing domain owners to authorize their CA. A “Not secure” browser indication was propagated to push more websites to support HTTPS. There was also a change in the certification authority (CA) ownership with DigiCert acquiring Symantec’s SSL and related PKI business and Francisco Partners buying Comodo’s CA. Vulnerabilities Google and CWI announced SHAttered, an attack on the SHA-1 cryptographic hash function. The attack was demonstrated...

Read More

Certificate Transparency Deadline Moved to April 2018

Posted by on May 3, 2017 0 comments

Google just announced they will not be enforcing certificate transparency (CT) logging for all new TLS certificates until April 2018. In a previous blog post, we advised that Google provided a new policy, which required new TLS certificates to be published to the CT logs in order for the domain to be trusted by Chrome. The reason for the delay was not clear, but Google needs to consider the following: Overall CT policy discussions with the major stakeholders are underway, but we are still far away from a conclusion. Other browsers appear to be supporting CT, but have yet to determine their...

Read More

2017 – Looking Back, Moving Forward

Posted by on January 13, 2017 0 comments

Looking Back at 2016 Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some researchers did prove old cryptography algorithms should be put out to pasture. The year showed the end of public-trusted SHA-1 SSL/TLS certificates. It also showed more transparency should be considered due to issues discovered with a few certification authorities (CAs). The great news is HTTPS is no longer the minority — after 20 years, connections using HTTPS has surpassed HTTP. Vulnerabilities Researchers terminated the use of the SSL 2.0 version of the protocol after a vulnerability...

Read More

Stricter Standards for SSL Server Test Coming in 2017

Posted by on December 13, 2016 0 comments

This is a good time to offer a reminder that the CASC has a great tool for secure server testing, the SSL Server Test. The tool grades your server installation and reviews the: certificate, protocol support, key exchange and cipher strength for security against standards and known vulnerabilities. The grading tool also provides feedback on handshake simulations with various versions of browsers and operating systems. This lets the server administrator know which implementations are supported. The test also checks the server mitigation for known vulnerabilities such as: DROWN, BEAST, POODLE...

Read More