Blog

5 Ways to Keep Up with Authentication Certificates

Posted by Arvid Vermote on February 24, 2020

When it comes to protecting an organization’s data and users, CISOs have no shortage of hurdles. Identity attacks have become sophisticated and convincing, thanks to ransomware, phishing and deep fakes. CISOs have long known the importance of strong identification and authentication controls, but with threats constantly changing and intensifying, having these controls in place is just one piece of the puzzle; they must be managed correctly in order to do their job. Firstly, organizations have a wide range of technologies available to prevent...

Read More

The CA Security Council Looks Ahead to 2020 and Beyond

Posted by Patrick Nohe and Doug Beattie on January 9, 2020

A whirlwind of activity will cause dramatic shifts across the PKI world in the year ahead Suffice it to say that 2019 was filled with challenges and contentiousness as Certificate Authorities and Browsers began to watch their shared visions diverge. The debate around Extended Validation continued as CAs pushed for a range of reforms and browsers pushed to strip its visual indicators. And a ballot to shorten maximum certificate validity periods exposed fault-lines at the CAB Forum. But while neither of those conversations are over – let alone...

Read More

Chrome Kills Mixed Content for HTTPS

Posted by Bruce Morton on December 6, 2019

In a phased approach, Chrome plans to block mixed content on secure websites to improve user security. Most browsers already block some mixed content such as scripts and iframes by default. Chrome is amping it up by gradually taking steps to also block images, audio recordings and videos, according to a recent Google Security blog. Preventing mixed content to load will eventually result in HTTPS websites losing their security indicator downgrading the site to HTTP, which alerts visitors that the site is not secure. Mixed content happens when...

Read More

Online Identity Is Important: Let’s Upgrade Extended Validation

Posted by Patrick Nohe on October 21, 2019

It’s time for the CA/Browser Forum to focus on the other half of its mandate Let’s have a candid discussion about Extended Validation SSL. What’s working. What’s NOT. And what can be done to fix it so that all parties involved are satisfied. But first, let’s zoom out and talk big picture. The vast majority of website owners almost never think of SSL. They worry about it once every year or so when it needs to be replaced, but it’s not really a major point of consideration. And even when it is, it’s on more of a macro level when managing...

Read More

The Insecure Elephant in the Room

Posted by Paul Walsh on October 10, 2019

[Update: October 16, 2019] The purpose of this article The purpose of this article is to demonstrate why I believe browser-based UI for website identity can make the web safer for everyone. I explain in great detail, the reasons why the UI and UX didn’t work in the past. And what’s left is only making the problem worse instead of better. Some people seem to find it difficult to consume my thoughts about the enforcement of “HTTPS EVERYWHERE”, free DV certs and the browser padlock. Please assume that I support all of these things. My...

Read More

Why Are You Removing Website Identity, Google and Mozilla?

Posted by Tim Callan and Kirk Hall on August 27, 2019

You can’t have consumer privacy without having strong website identity Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? Extended Validation (EV) certificates provide this information and can be very useful for consumers. Recently, Google and Mozilla have announced plan to eliminate the distinctive indicators in the Chrome and Firefox...

Read More

9 Common Myths About CAs

Posted by Tim Callan on August 1, 2019

Over the years misconceptions about CAs and the SSL infrastructure have arisen. Below is a list of common myths related to SSL and CAs. Myth #1: CAs are not regulated Fact: CAs are subject to various checks and balances, including third-party qualified audits through WebTrust or ETSI and strict criteria set forth by leading browsers, before they are accepted in browser root stores. Similarly, the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines establish global standards for certificate issuance and CA controls that...

Read More

The Advantages of Short-Lived SSL Certificates for the Enterprise

Posted by Doug Beattie on July 18, 2019

Short validity period certificates are becoming ever more common to reduce the scope of data compromised if a server vulnerability is uncovered, such as HeartBleed.  Good security practice dictates changing keys on a regular basis, normally annually, but if you want to limit your exposure further, you can replace your certificates and underlying keys more frequently. Sandstorm is an open source server software that makes it easy to install web apps. In order to solve the problem of setting up DNS without too much complication, Sandstorm...

Read More

What Are Subordinate CAs and Why Would You Want Your Own?

Posted by Doug Beattie on June 26, 2019

Digital certificate and PKI adoption has changed quite a bit in recent years. Gone are the days where certificates were only synonymous with SSL/TLS; compliance drivers like stronger authentication requirements and digital signature regulations (e.g. eIDAS) have greatly expanded the role of PKI within the enterprise. As PKI usage has expanded, conversation has moved beyond just the number and type of certificates needed and onto deeper dialogue about custom PKI deployments. A large part of the conversation is around subordinate CAs, sometimes...

Read More

What the Latest Firefox Update Means for SSL Certificates

Posted by Tim Callan on June 14, 2019

Last month marked the release of Firefox 66, the newest iteration of the ever-popular web browser.  The update adds a number of interesting new features, including improvements to content loading and extension storage, auto-play sound blocking, and support for the AV1 codec (on the Windows version at least).  The search feature has also been improved, and, as is typical of browser updates, a number of known security vulnerabilities have been patched. The update also made improvements to the way in which security warnings are displayed in the...

Read More