The Web Is Moving From HTTP to HTTPS

Posted by on November 21, 2016

The four letters, “http”, are known to technical and non-technical users alike as the beginning of any web address. These have been ubiquitous for many years. But things are about to change. Pretty soon, you won’t be able to go to many popular websites just by using those 4 letters. You will need to add an “s” at the end (https). Why is this happening? What are the reasons for this change? https indicates that a web page uses the security protocol known as TLS (previously known and more commonly referred to as SSL). This shows that...

▶ Read More

Trust on the Public Web – The Consequences of Covert Action

Posted by on November 11, 2016

You may have heard in the news that the Chinese Certificate Authority, WoSign, was caught backdating SHA-1 certificates to make it look like they were issued before the December 31, 2015 deadline. Why is this newsworthy?  For web-based security to remain an integral part of an ecosystem used every day by millions of people around the world, it all comes down to Trust; trust in the organization issuing the certificates, trust in the browsers that validate and display certificate information to the user, and trust by relying parties browsing...

▶ Read More

Google Certificate Transparency (CT) to Expand to All Certificates Types

Posted by on November 8, 2016

The policy change goes into effect October 2017 A recent Google announcement stated that all publicly trusted SSL/TLS certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency (CT) policy or be untrusted by the browser. Since January 2015, Chrome has required Extended Validation (EV) certificates to comply with CT. With this policy change, the Chrome CT policy will also apply to Domain Validated (DV) and Organization Validated (OV) certificates. For more than two years, CAs have supported...

▶ Read More

Why Is Certificate Expiration Necessary?

Posted by on October 19, 2016

The Long Life Certificate – Why It Doesn’t Exist Why is certificate expiration even necessary? Wouldn’t it be better if I could just buy a certificate with a long life before expiration? It would really simplify certificate management if it could be installed and forgotten. Simple, no management required, just file-and-forget. Imagine, I’ve been in business, starting say 10 to 15 years ago. I roll out my web pages and secure them with a 20-year-validity SSL certificate. I do this by creating a 512-bit RSA key securely stored in the...

▶ Read More

Always-On SSL

Posted by on September 30, 2016

There is no doubt that content owners and publishers have a duty to encourage trust and the confidence during internet usage by adopting security best practices. If a customer believes that their data and identity are safe and protected, they are more inclined to continue their online transactions. Industry best practices for website protection should be vendor-neutral, easy to implement, and globally accessible. Websites should take all the reasonable steps possible to adopt best practices in secure design and implementation, and this...

▶ Read More

Chrome to Show HTTP Sites as Not Secure

Posted by on September 15, 2016

Always-On SSL should be deployed to prevent the “Not secure” warning Website owners who do not secure their website with an SSL/TLS certificate will have to rethink their online strategy.  In a push to make the Internet safer for all users, Google will soon be issuing a stronger warning to visitors who navigate to a website that does not have the protection of an SSL/TLS certificate. With the release of Chrome 53 on Windows, Google has changed the trust indications to introduce the circle-i. Subsequently, Google has announced a new...

▶ Read More

How a SWEET32 Birthday Attack is Deployed and How to Prevent It

Posted by on September 7, 2016

Details surrounding the SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN can be found in the paper released by Karthikeyan Bhargavan and Gaëtan Leurent from INRIA in France. The paper shows that cipher suites using 64-bit block length ciphers are vulnerable to plaintext recovery attacks. As such, Triple-DES (3DES) and Blowfish are vulnerable. Here’s an overview. Vulnerabilities to a SWEET32 Birthday Attack Certain scenarios are pre-disposed to a SWEET32 Birthday attack. For HTTPS, most susceptible are websites that...

▶ Read More

Trust Indication Change in Google Chrome

Posted by on August 24, 2016

Google is making security icon changes in the Chrome status bar. The changes are based on a research paper prepared by members of Google and University of California, Berkeley. The research evaluated forty icons, seven complementary strings and surveyed 1,329 people. The goal is to make it easier for browser users to determine how secure their connection to a site is and indicate if the site is dangerous or deceptive. In addition, the icons are to indicate to people that HTTP is less secure than HTTPS. Below are representations of the old...

▶ Read More

Minimum Requirements for Code Signing Certificates

Posted by on July 20, 2016

It is time for an update on the Baseline Requirements for Code Signing. First the bad news, the new standard was not approved by the CA/Browser Forum due to philosophical differences among some forum members who felt code signing was not in scope with the Forum’s charter. The good news is the document was created in a multi-stakeholder environment and substantially improves the current management processes. As such, it was decided to bring the document outside of the forum and finalize it as part of the CA Security Council. The CASC members...

▶ Read More

TLS Certificates on the Web – The Good, The Bad and The Ugly

Posted by on May 17, 2016

It might be hard to believe, but the SSL/TLS Ecosystem is nearly 20 years old. It’s time to take stock and see how we’re doing with regards to TLS certificates. In this article, we’ll primarily discuss certificates themselves and not web server configuration, although that is often a source of problems. In the last few years, we’ve endured three major certificate-based migrations: Away from the MD2 and MD5 hash algorithms to SHA-1 Away from small RSA keys to 2048-bit keys or larger Away from the SHA-1 hash algorithm to...

▶ Read More