Blog

Share:

Perfect Forward Secrecy

Posted by on April 11, 2014

Recent revelations from Edward Snowden about pervasive government surveillance have led to many questions about the safety of communications using the SSL/TLS protocol. Such communications are generally safe from eavesdroppers, as long as certain precautions are observed. For example, configuring your web server to avoid using SSL2 and SSL3, favoring newer versions of TLS like TLS 1.2, selecting strong ciphersuites, etc. But even if your server is configured properly, you still must secure the private key associated with your SSL certificate....

▶ Read More

Heartbleed Bug Vulnerability: Discovery, Impact and Solution

Posted by on April 9, 2014

On April 7, 2014, a vulnerability in the OpenSSL cryptographic library was announced to the Internet community. Aptly labeled as the Heartbleed bug, this vulnerability affects OpenSSL versions 1.0.1 through 1.0.1f (inclusive). The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The flaw is not related or introduced by publicly trusted certificates and is instead a problem with server software. Heartbleed Bug Discovery The Heartbleed bug was...

▶ Read More

Reducing the Impact of Government Spying

Posted by on April 4, 2014

Last year, Edward Snowden, an American computer-specialist working as a contractor for the National Security Agency (“NSA”), shocked web-users around the world by publicizing documents showing that the NSA was gathering intelligence on Internet users. The realization that the US government was gathering sensitive information has led to a worldwide demand for better protection of online communication and data and a general worry about the effectiveness of existing infrastructures. Specifically, some entities have asked whether PKI...

▶ Read More

Certificate Reputation

Posted by on March 28, 2014

One of the advantages of having multiple certification authorities (CAs) from which to choose an SSL certificate is that customers have flexibility to choose a CA that meets their specific needs, or even use a number of CAs for redundancy or to have access to a broader toolset. The disadvantage for end users, however, is that they often may not know if a particular CA was authorized to issue the certificate, and there could be a chance that the certificate was fraudulently obtained. Security experts have come out with proposals to allow domain...

▶ Read More

When to Choose an Extended Validation Certificate

Posted by on March 25, 2014

In our last post, we made a case for using Organizationally Validated (OV) or Extended Validation (EV) certificates for e-commerce, but we didn’t go into detail about the differences between OV and EV. EV certificates provide the highest level of assurance about your business, and they visually indicate this to your site’s visitors. The telltale sign that a business has obtained an EV certificate for their website is commonly referred to as the “green bar” displayed in the browser. The exact form of the indicator varies...

▶ Read More

CA Security Council Members Presentation at RSA 2014 Conference: New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet

Posted by on March 17, 2014

CA Security Council (CASC) members Trend Micro, Go Daddy, and Symantec participated in a discussion panel at the 2014 RSA Conference in San Francisco on February 24 entitled “New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet.” Panel members included Kirk Hall of Trend Micro (Moderator), Wayne Thayer of GoDaddy (Panelist), and Rick Andrews of Symantec (Panelist). Introduction to the Topic Hall began by introducing the topic – all three alternative technologies (Certificate Transparency or CT, Certificate...

▶ Read More

Think Twice Before Using DV for E-Commerce

Posted by on March 12, 2014

In a previous blog (What Are the Different Types of SSL Certificates?), we described the various types of SSL certificates available from publicly trusted Certificate Authorities (CAs).  CAs are often asked by their customers which certificate type should be used for websites conducting E-Commerce, rather than for just encryption of sensitive data. For the latter case, a Domain Validated (DV) certificate will work fine. A DV cert allows for encryption to take place between the browser and the server. However, because DV certificates do not...

▶ Read More

Pros and Cons of Single-Domain, Multi-Domain, and Wildcard Certificates

Posted by on February 26, 2014

We have previously written about the different types of SSL certificates, but in that article we focused on validation levels. A recent post on LinkedIn highlighted the fact that there is another dimension that we haven’t yet explored. SSL certificates come in three basic packages: “single-domain” certificates that can only be used on one specific website, “multi-domain” certificates that can be used on more than one website, and “wildcard” certificates that can be used on any website within a specific...

▶ Read More

Bogus SSL Certificates

Posted by on February 20, 2014

Netcraft has published an article stating they have found many bogus SSL certificates. In this case, a bogus certificate is self-signed (i.e., not issued from a legitimate certification authority) and replicates an SSL certificate of a large, popular website. This type of bogus SSL certificate could be used for a man-in-the-middle (MITM) attack. In this scenario, the attacker needs to gain a position that will allow them to intercept traffic and make you to go to their site instead of the real site. This is more likely for public Wi-Fi...

▶ Read More

Ten Steps to Take If Your Website Is Compromised

Posted by on February 12, 2014

After the news broke that 40 million credit card numbers were stolen from Target last month, many of their customers, including me, went to work checking our accounts for fraudulent purchases and replacing cards we’d used recently at Target. These have become standard responses to news of this sort. In much the same way, there are some common actions that you should be aware of if your website becomes compromised. Many millions of website are compromised and infected with various forms of malware every year. By one account, more than...

▶ Read More