Posts by bmorton

Stricter Standards for SSL Server Test Coming in 2017

Posted by on December 13, 2016 in Blog | 0 comments

This is a good time to offer a reminder that the CASC has a great tool for secure server testing, the SSL Server Test. The tool grades your server installation and reviews the: certificate, protocol support, key exchange and cipher strength for security against standards and known vulnerabilities. The grading tool also provides feedback on handshake simulations with various versions of browsers and operating systems. This lets the server administrator know which implementations are supported. The test also checks the server mitigation for known vulnerabilities such as: DROWN, BEAST, POODLE...

Read More

Why Is Certificate Expiration Necessary?

Posted by on October 19, 2016 in Blog | 0 comments

The Long Life Certificate – Why It Doesn’t Exist Why is certificate expiration even necessary? Wouldn’t it be better if I could just buy a certificate with a long life before expiration? It would really simplify certificate management if it could be installed and forgotten. Simple, no management required, just file-and-forget. Imagine, I’ve been in business, starting say 10 to 15 years ago. I roll out my web pages and secure them with a 20-year-validity SSL certificate. I do this by creating a 512-bit RSA key securely stored in the server’s key store. Hey! No, I’ll be more secure and...

Read More

Chrome to Show HTTP Sites as Not Secure

Posted by on September 15, 2016 in Blog | 1 comment

Always-On SSL should be deployed to prevent the “Not secure” warning Website owners who do not secure their website with an SSL/TLS certificate will have to rethink their online strategy.  In a push to make the Internet safer for all users, Google will soon be issuing a stronger warning to visitors who navigate to a website that does not have the protection of an SSL/TLS certificate. With the release of Chrome 53 on Windows, Google has changed the trust indications to introduce the circle-i. Subsequently, Google has announced a new warning message will be issued when a website is not using...

Read More

How a SWEET32 Birthday Attack is Deployed and How to Prevent It

Posted by on September 7, 2016 in Blog | 0 comments

Details surrounding the SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN can be found in the paper released by Karthikeyan Bhargavan and Gaëtan Leurent from INRIA in France. The paper shows that cipher suites using 64-bit block length ciphers are vulnerable to plaintext recovery attacks. As such, Triple-DES (3DES) and Blowfish are vulnerable. Here’s an overview. Vulnerabilities to a SWEET32 Birthday Attack Certain scenarios are pre-disposed to a SWEET32 Birthday attack. For HTTPS, most susceptible are websites that support the 3DES algorithm and sustain long lived...

Read More

Trust Indication Change in Google Chrome

Posted by on August 24, 2016 in Blog | 0 comments

Google is making security icon changes in the Chrome status bar. The changes are based on a research paper prepared by members of Google and University of California, Berkeley. The research evaluated forty icons, seven complementary strings and surveyed 1,329 people. The goal is to make it easier for browser users to determine how secure their connection to a site is and indicate if the site is dangerous or deceptive. In addition, the icons are to indicate to people that HTTP is less secure than HTTPS. Below are representations of the old icons and the selected new icons which are to be used...

Read More