Blog

Fortify Allows Users to Generate X.509 Certificates in Their Browser

Posted by Tim Hollebeek on June 19, 2018

Fortify, an open source application sponsored by Certificate Authorities through the CA Security Council, is now available for Windows and Mac. The Fortify app, which is free for all users, connects a user’s web browsers to smart cards, security tokens, and certificates on a user’s local machine. This can allow users to generate X.509 certificates in their browser, replacing the need for the deprecated functionality. Certificate Generation In The Browser The Web Cryptography API, also known as Web Crypto, provides a set of cryptographic...

Read More

CA/Browser Forum Governance Reform

Posted by Dean Coclin on May 18, 2018

In March 2016, the CA/Browser Forum formed a working group to review potential ways to restructure the forum. The primary goal was to examine ideas so the Forum could work on other types of standards besides TLS. Ben Wilson and I chaired this group with excellent participation from a cross functional team of browser and certificate authority representatives as well as interested parties. After 2 years of efforts, the working group produced Ballot 206 which passed in April 2017. This created new bylaws which will go into effect on July 3,...

Read More

TLS 1.3 Includes Improvements to Security and Performance

Posted by Tim Shirley on April 10, 2018

Last month saw the final adoption, after 4 years of work, of TLS version 1.3 by the Internet Engineering Task Force (IETF). This latest iteration of the protocol for secure communications on the internet boasts several noteworthy improvements to both security and performance: Security All cipher suites that do not provide forward secrecy have been eliminated from TLS 1.3. This is a very important security property, because without forward secrecy, if a server’s private key is compromised today, any previously-recorded conversations with...

Read More

Chrome Will Show Not Secure for all HTTP Sites Starting July 2018

Posted by Bruce Morton on February 15, 2018

Through 2017 and into 2018, we have seen the use of HTTPS grow substantially. Last Fall Google announced the following status: Over 68% of Chrome traffic on both Android and Windows is now protected Over 78% of Chrome traffic on both Chrome OS and Mac is now protected 81 of the top 100 sites on the web use HTTPS by default Google helped to drive this growth by implementing the “Secure” and “Not secure” status in Chrome’s status bar. “Secure” was provided for HTTPS sites. “Not secure” was implemented progressively, first resulting for HTTP...

Read More

2018 – Looking Back, Moving Forward

Posted by Bruce Morton on January 6, 2018

Looking Back at 2017 2017 saw the end of SHA-1 in public trust SSL/TLS certificates and the start of Certification Authority Authorization (CAA) allowing domain owners to authorize their CA. A “Not secure” browser indication was propagated to push more websites to support HTTPS. There was also a change in the certification authority (CA) ownership with DigiCert acquiring Symantec’s SSL and related PKI business and Francisco Partners buying Comodo’s CA. Vulnerabilities Google and CWI announced SHAttered, an attack on the SHA-1 cryptographic...

Read More

How Does the ROCA Attack Work?

Posted by Tim Hollebeek on November 9, 2017

On October 17th, a group of Czech researchers announced they had found a way to factor the moduli of many RSA public keys generated by hardware produced by Infineon Technologies AG.  The technical details were presented in a paper at the 2017 Computer and Communications Security conference, hosted by the Association for Computing Machinery on November 2nd. The technique only works against the key pairs produced by Infineon’s library, because it exploits the unique method they use to generate RSA primes.  Key pairs produced by other methods...

Read More

Quantum Computing: Real or Exaggerated Threat to the Web PKI?

Posted by Dean Coclin and Tim Hollebeek on August 30, 2017

Twenty years ago, paying your phone or electric bill involved receiving it in the mail, writing a check and mailing it back to the company. Today, that has largely been replaced by email and web-based payment submittals. All of this is secured by digital certificates and encryption, which provide privacy and authentication of information transiting the open Internet (aka Web PKI). The web PKI is predominantly secured by RSA encryption algorithms; mathematical theorems which have been improved over time. These algorithms depend on the...

Read More

How Browser Security Indicators Can Protect You from Phishing

Posted by Kirk Hall and Chris Bailey on June 6, 2017

The media is full of stories about how phishing sites are moving rapidly to encryption using anonymous, free DV certificates they use to imitate login pages for popular sites, such as paypal.com. As noted in the article “PayPal Phishing Certificates Far More Prevalent than Previously Thought”, https://www.thesslstore.com/blog/lets-encrypt-phishing/, more than 14,000 DV SSL certificates have been issued to PayPal phishing sites since the start of 2016.  Based on a random sample, 96.7% of these certificates were intended for use on phishing...

Read More

Certificate Transparency Deadline Moved to April 2018

Posted by Bruce Morton on May 3, 2017

Google just announced they will not be enforcing certificate transparency (CT) logging for all new TLS certificates until April 2018. In a previous blog post, we advised that Google provided a new policy, which required new TLS certificates to be published to the CT logs in order for the domain to be trusted by Chrome. The reason for the delay was not clear, but Google needs to consider the following: Overall CT policy discussions with the major stakeholders are underway, but we are still far away from a conclusion. Other browsers appear to...

Read More

The Latest on Certification Authority Authorization

Posted by Jeremy Rowley on March 21, 2017

Things are certainly heating up at the CA/Browser with exciting proposals surrounding inclusion of the Wi-Fi Alliance (WFA) as a subjectAltName otherName, new validation methods, and debates over how the CAB Forum will continue operating. One of these newly passed ballots requires all CAs to check and process a domain name’s DNS Certification Authority Authorization (CAA) resource record prior to issuing a digital certificate. Background RFC 6844 created CAA records as a method for domain owners to specify a policy on which certificate...

Read More