Posts by khall

Practical Steps to Counter the Logjam Attack

Posted by on May 26, 2015 in Blog | 1 comment

Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle (MitM) attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic. In some ways, this attack is a subset of the recent FREAK attack. Both attacks were made possible by support for...

Read More

Who Sets the Rules Governing Certification Authorities?

Posted by on August 19, 2014 in Blog | 1 comment

Every time something positive is published about SSL and encryption,such as Google’s recent decision making use of https encryption a favorable rating factor for a website, or negative, such as the Heartbleed issue – bloggers and others always post questions about public Certification Authorities (CAs), including general questions on who sets the rules that govern CAs. Some bloggers seem to assume there are no rules or standards, and that CAs can operate without any requirements or limitations at all — that’s incorrect. The answer on who sets the rules governing CAs is two-fold: in the first...

Read More

CA Security Council Members Presentation at RSA 2014 Conference: New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet

Posted by on March 17, 2014 in Blog | 0 comments

CA Security Council (CASC) members Trend Micro, Go Daddy, and Symantec participated in a discussion panel at the 2014 RSA Conference in San Francisco on February 24 entitled “New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet.” Panel members included Kirk Hall of Trend Micro (Moderator), Wayne Thayer of GoDaddy (Panelist), and Rick Andrews of Symantec (Panelist). Introduction to the Topic Hall began by introducing the topic – all three alternative technologies (Certificate Transparency or CT, Certificate Authority Authorization or CAA, and Certificate Pinning) are intended to...

Read More

How Organizations Are Authenticated for SSL Certificates

Posted by on November 22, 2013 in Blog | 0 comments

Certification Authorities (CAs) are trusted third parties that authenticate customers before issuing SSL certificates to secure their servers. Exactly how do CAs authenticate these organizations? And where are the rules that determine what CAs must do during authentication? The Rules on Customer Authentication In the past, there were no common rules applicable to CAs as to minimum steps required to authenticate a customer before issuing an SSL certificate. Instead, each CA was permitted to create its own authentication processes, and was only required to describe the process in general terms...

Read More

Certificate Authority Audits and Browser Root Program Requirements

Posted by on October 15, 2013 in Blog | 6 comments

Recent news stories have highlighted the need for strong security in online communications, and use of SSL certificates issued by a publicly trusted Certification Authority (CA) is perhaps the best way to achieve that. But why should the public trust SSL certificates issued from commercial CA roots, which are embedded as trust anchors in web browsers? One answer is because of the multiple layers of standards and tough requirements that all commercial CAs must meet – and for which they are audited every year. These standards and requirements have increased from year to year over the past...

Read More