Blog

One Year Certs

Posted by Patrick Nohe on July 9, 2020

Maximum SSL/TLS Certificate Validity is Now One Year Starting on September 1st, SSL/TLS certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple at the CA/Browser Forum Spring Face-to-Face event in Bratislava back in March. Then last week, at the CA/B Forum’s Summer event (held virtually), Google announced its intention to match Apple’s changes with its own root program. There is also a browser-driven ballot that seeks to align the industry’s baseline requirements with the new root program...

Read More

Could Quantum Computing Help Stave Off the Next Great Pandemic?

Posted by Patrick Nohe on June 11, 2020

As we settle into month two of isolation in the world’s collective battle against the COVID-19 pandemic, one talking point you’ve undoubtedly heard time and again is that this won’t truly be over until there’s a vaccine. But the search for a vaccine is a complicated process that feels exceedingly abstract to most of us. How do you create a vaccine? That’s not a question we’ll be able to answer in this article, nor will we attempt to. Rather, we’re going to focus on just one piece of the vaccine hunt, a process called protein folding, and how...

Read More

How to do HTTPS … The Right Way

Posted by Corey Bonnell on June 2, 2020

With secure HTTP — aka HTTPS (the “S” is short for “secure”) — swiftly becoming universal on the Internet, it is important to know how to configure HTTPS for your website the right way. The payoff for properly securing your website has many benefits, a few of which are: Secure transmission of sensitive information. HTTPS protects the sensitive information of your website visitors– whether that be personal profile information, passwords, payment information, etc. Additionally, electronic payment standards such as PCI DSS mandate...

Read More

Don’t ‘Compromise’ Your Code Amid Malware Mayhem

Posted by Abul Salek on May 12, 2020

Code Signing Certificates demand a price premium in the underground online marketplace. This is no surprise considering that criminals sometimes use them to dupe their potential victims into installing malware in their machine. The code-signed malware appears safe to the users, whereas users receive an alert to be cautious if the malware is unsigned. In recent days, fraudsters have been injecting malware into popular remote conference software clients, such as Zoom, and many users are unaware that their devices are being compromised. Dark web...

Read More

Digital Trust Is Elusive – Are Qualified Trust Services A Solution?

Posted by Sebastian Schulz on May 1, 2020

A popular saying goes: “Trust takes years to build, seconds to break, and forever to repair.” While I wouldn’t completely agree, the idea isn’t wrong. In real life trust between two parties is established over some period of time, depending on a variety of factors. Have you ever wondered why you initially trust some people more and others less, even if you’ve never met them before? There are a complicated multitude of factors that influence our thoughts: the person’s appearance, tone of voice, title or rank, etc. Trust is established over...

Read More

Preparing for Quantum Computing

Posted by Diana Gruhn on April 21, 2020

Quantum computing is advancing, and while experts are not sure when there will be a quantum computer powerful enough to break the RSA and ECC cryptographic algorithms that are currently in use, many are operating under the assumption that this can happen within a 10-15 year timeframe. This is a general timeline because there is no way to know when this will occur – it could happen sooner or it could happen later. The Road to Crypto Agility The IETF is working on proposals to create new X.509 certificate formats with multiple keys (called...

Read More

5 Ways to Keep Up with Authentication Certificates

Posted by Arvid Vermote on February 24, 2020

When it comes to protecting an organization’s data and users, CISOs have no shortage of hurdles. Identity attacks have become sophisticated and convincing, thanks to ransomware, phishing and deep fakes. CISOs have long known the importance of strong identification and authentication controls, but with threats constantly changing and intensifying, having these controls in place is just one piece of the puzzle; they must be managed correctly in order to do their job. Firstly, organizations have a wide range of technologies available to prevent...

Read More

The CA Security Council Looks Ahead to 2020 and Beyond

Posted by Patrick Nohe and Doug Beattie on January 9, 2020

A whirlwind of activity will cause dramatic shifts across the PKI world in the year ahead Suffice it to say that 2019 was filled with challenges and contentiousness as Certificate Authorities and Browsers began to watch their shared visions diverge. The debate around Extended Validation continued as CAs pushed for a range of reforms and browsers pushed to strip its visual indicators. And a ballot to shorten maximum certificate validity periods exposed fault-lines at the CAB Forum. But while neither of those conversations are over – let alone...

Read More

Chrome Kills Mixed Content for HTTPS

Posted by Bruce Morton on December 6, 2019

In a phased approach, Chrome plans to block mixed content on secure websites to improve user security. Most browsers already block some mixed content such as scripts and iframes by default. Chrome is amping it up by gradually taking steps to also block images, audio recordings and videos, according to a recent Google Security blog. Preventing mixed content to load will eventually result in HTTPS websites losing their security indicator downgrading the site to HTTP, which alerts visitors that the site is not secure. Mixed content happens when...

Read More

Online Identity Is Important: Let’s Upgrade Extended Validation

Posted by Patrick Nohe on October 21, 2019

It’s time for the CA/Browser Forum to focus on the other half of its mandate Let’s have a candid discussion about Extended Validation SSL. What’s working. What’s NOT. And what can be done to fix it so that all parties involved are satisfied. But first, let’s zoom out and talk big picture. The vast majority of website owners almost never think of SSL. They worry about it once every year or so when it needs to be replaced, but it’s not really a major point of consideration. And even when it is, it’s on more of a macro level when managing...

Read More