Blog

Why Are You Removing Website Identity, Google and Mozilla?

Posted by Tim Callan and Kirk Hall on August 27, 2019

You can’t have consumer privacy without having strong website identity Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? Extended Validation (EV) certificates provide this information and can be very useful for consumers. Recently, Google and Mozilla have announced plan to eliminate the distinctive indicators in the Chrome and Firefox...

Read More

9 Common Myths About CAs

Posted by Tim Callan on August 1, 2019

Over the years misconceptions about CAs and the SSL infrastructure have arisen. Below is a list of common myths related to SSL and CAs. Myth #1: CAs are not regulated Fact: CAs are subject to various checks and balances, including third-party qualified audits through WebTrust or ETSI and strict criteria set forth by leading browsers, before they are accepted in browser root stores. Similarly, the CA/Browser Forum’s Baseline Requirements and Network Security Guidelines establish global standards for certificate issuance and CA controls that...

Read More

The Advantages of Short-Lived SSL Certificates for the Enterprise

Posted by Doug Beattie on July 18, 2019

Short validity period certificates are becoming ever more common to reduce the scope of data compromised if a server vulnerability is uncovered, such as HeartBleed.  Good security practice dictates changing keys on a regular basis, normally annually, but if you want to limit your exposure further, you can replace your certificates and underlying keys more frequently. Sandstorm is an open source server software that makes it easy to install web apps. In order to solve the problem of setting up DNS without too much complication, Sandstorm...

Read More

What Are Subordinate CAs and Why Would You Want Your Own?

Posted by Doug Beattie on June 26, 2019

Digital certificate and PKI adoption has changed quite a bit in recent years. Gone are the days where certificates were only synonymous with SSL/TLS; compliance drivers like stronger authentication requirements and digital signature regulations (e.g. eIDAS) have greatly expanded the role of PKI within the enterprise. As PKI usage has expanded, conversation has moved beyond just the number and type of certificates needed and onto deeper dialogue about custom PKI deployments. A large part of the conversation is around subordinate CAs, sometimes...

Read More

What the Latest Firefox Update Means for SSL Certificates

Posted by Tim Callan on June 14, 2019

Last month marked the release of Firefox 66, the newest iteration of the ever-popular web browser.  The update adds a number of interesting new features, including improvements to content loading and extension storage, auto-play sound blocking, and support for the AV1 codec (on the Windows version at least).  The search feature has also been improved, and, as is typical of browser updates, a number of known security vulnerabilities have been patched. The update also made improvements to the way in which security warnings are displayed in the...

Read More

2019 – Looking Back, Moving Forward

Posted by Bruce Morton on January 3, 2019

Looking Back at 2018 2018 was an active year for SSL/TLS. We saw the SSL/TLS certificate validity period drop to 825-days and the mass deployment of Certificate Transparency (CT). TLS 1.3 protocol was finally completed and published; and Chrome status bar security indicators changing to remove “secure” and to concentrate on “not secure.” The CA/Browser Forum has been reformed, the London Protocol was announced and the nearly full distrust of Symantec SSL completed. Here are some details on some of the 2018 happenings in the SSL/TLS ecosystem....

Read More

CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly

Posted by Chris Bailey, Bruce Morton, and Jay Schiavo on December 6, 2018

As the legendary coach of the NY Yankees Yogi Berra allegedly said, “It’s difficult to make predictions, especially about the future.”  But we’re going to try. Here are the CA Security Council (CASC) 2019 Predictions: The Good, the Bad, and the Ugly. The Good Prediction: By the end of 2019, over 90% of the world’s http traffic will be secured over SSL/TLS Encryption boosts user security and privacy, and the combined efforts of browsers and Certification Authorities (CAs) over the past few years have moved us rapidly to a world approaching...

Read More

Fortify Allows Users to Generate X.509 Certificates in Their Browser

Posted by Tim Hollebeek on June 19, 2018

Fortify, an open source application sponsored by Certificate Authorities through the CA Security Council, is now available for Windows and Mac. The Fortify app, which is free for all users, connects a user’s web browsers to smart cards, security tokens, and certificates on a user’s local machine. This can allow users to generate X.509 certificates in their browser, replacing the need for the deprecated functionality. Certificate Generation In The Browser The Web Cryptography API, also known as Web Crypto, provides a set of cryptographic...

Read More

CA/Browser Forum Governance Reform

Posted by Dean Coclin on May 18, 2018

In March 2016, the CA/Browser Forum formed a working group to review potential ways to restructure the forum. The primary goal was to examine ideas so the Forum could work on other types of standards besides TLS. Ben Wilson and I chaired this group with excellent participation from a cross functional team of browser and certificate authority representatives as well as interested parties. After 2 years of efforts, the working group produced Ballot 206 which passed in April 2017. This created new bylaws which will go into effect on July 3,...

Read More

TLS 1.3 Includes Improvements to Security and Performance

Posted by Tim Shirley on April 10, 2018

Last month saw the final adoption, after 4 years of work, of TLS version 1.3 by the Internet Engineering Task Force (IETF). This latest iteration of the protocol for secure communications on the internet boasts several noteworthy improvements to both security and performance: Security All cipher suites that do not provide forward secrecy have been eliminated from TLS 1.3. This is a very important security property, because without forward secrecy, if a server’s private key is compromised today, any previously-recorded conversations with...

Read More