How Does the ROCA Attack Work?

Posted by on November 9, 2017 0 comments

On October 17th, a group of Czech researchers announced they had found a way to factor the moduli of many RSA public keys generated by hardware produced by Infineon Technologies AG.  The technical details were presented in a paper at the 2017 Computer and Communications Security conference, hosted by the Association for Computing Machinery on November 2nd. The technique only works against the key pairs produced by Infineon’s library, because it exploits the unique method they use to generate RSA primes.  Key pairs produced by other methods and libraries are unaffected.  However,...

Read More

Quantum Computing: Real or Exaggerated Threat to the Web PKI?

Posted by on August 30, 2017 0 comments

Twenty years ago, paying your phone or electric bill involved receiving it in the mail, writing a check and mailing it back to the company. Today, that has largely been replaced by email and web-based payment submittals. All of this is secured by digital certificates and encryption, which provide privacy and authentication of information transiting the open Internet (aka Web PKI). The web PKI is predominantly secured by RSA encryption algorithms; mathematical theorems which have been improved over time. These algorithms depend on the difficulty of computers in factoring large prime numbers in...

Read More

How Browser Security Indicators Can Protect You from Phishing

Posted by on June 6, 2017 2 comments

The media is full of stories about how phishing sites are moving rapidly to encryption using anonymous, free DV certificates they use to imitate login pages for popular sites, such as paypal.com. As noted in the article “PayPal Phishing Certificates Far More Prevalent than Previously Thought”, https://www.thesslstore.com/blog/lets-encrypt-phishing/, more than 14,000 DV SSL certificates have been issued to PayPal phishing sites since the start of 2016.  Based on a random sample, 96.7% of these certificates were intended for use on phishing sites. A typical certificate will be for a...

Read More

Certificate Transparency Deadline Moved to April 2018

Posted by on May 3, 2017 0 comments

Google just announced they will not be enforcing certificate transparency (CT) logging for all new TLS certificates until April 2018. In a previous blog post, we advised that Google provided a new policy, which required new TLS certificates to be published to the CT logs in order for the domain to be trusted by Chrome. The reason for the delay was not clear, but Google needs to consider the following: Overall CT policy discussions with the major stakeholders are underway, but we are still far away from a conclusion. Other browsers appear to be supporting CT, but have yet to determine their...

Read More

The Latest on Certification Authority Authorization

Posted by on March 21, 2017 0 comments

Things are certainly heating up at the CA/Browser with exciting proposals surrounding inclusion of the Wi-Fi Alliance (WFA) as a subjectAltName otherName, new validation methods, and debates over how the CAB Forum will continue operating. One of these newly passed ballots requires all CAs to check and process a domain name’s DNS Certification Authority Authorization (CAA) resource record prior to issuing a digital certificate. Background RFC 6844 created CAA records as a method for domain owners to specify a policy on which certificate authorities are authorized to issue certificates for...

Read More

2017 – Looking Back, Moving Forward

Posted by on January 13, 2017 0 comments

Looking Back at 2016 Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some researchers did prove old cryptography algorithms should be put out to pasture. The year showed the end of public-trusted SHA-1 SSL/TLS certificates. It also showed more transparency should be considered due to issues discovered with a few certification authorities (CAs). The great news is HTTPS is no longer the minority — after 20 years, connections using HTTPS has surpassed HTTP. Vulnerabilities Researchers terminated the use of the SSL 2.0 version of the protocol after a vulnerability...

Read More