Kicking the Certificate Habit →

March 07, 2017 by Marc Handelman in All is Information, Simplicity, Web Security, WebTrust, Trust, TOFU, Information Security, Authentication, Must Read

Dr. Jaap-Henk Hoepman's security posts (via his blog), detailing his provocative yet fundamentally sound thoughts on the subject of terminating the utilization of certificates is today's absolute MustRead.

The basic idea - A few days ago I explained the idea including a mechanism to detect phishing attacks. This makes the protocol more complex, and creates confusion. So let’s try again, explaining the basic idea first. Whenever a browser sets up a new TLS connection with a domain, the web server serving that domain respond with its public key (instead of a certificate, as is currently the case) in the initial TLS handshake. (This is more precise than saying that the web server sends its public key in the header of every page it sends.)... Read more at Dr. Hoepman' blog

ISOC 2016 Global Internet Report →

November 25, 2016 by Marc Handelman in Accountability, All is Information, Information Security, Database Security, Data Security, Web Security, WebTrust, Online Trust, ISOC

Behold, the Internet Society's 2016 Global Internet Report: 'The Economics of Building Trust Online: Preventing Data Breaches. Fascinating reading.

Symantec Certificate Authority Investigated →

November 05, 2015 by Marc Handelman in All is Information, Cryptography, Certificate Authority, Information Security, WebTrust

Google, Inc. (NasdaqGS:GOOG) has warned Symantec Corporation (NASDAQ:SYMC) of imposed requirements applied to the Symantec Certificate Authority due to apparent malfeasence in managing the company's Certificate Authority infrastructure and specifically Certificates issued without notifying the holders of same.

The implications of the action are range far both in scope (related to the specific certificates under scrutiny ("Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered. - posted by Ryan Sleevi, Software Engineer at Google, Inc.)), and in Google's efforts to enforce the WebTrust in the Digital Certificate realm. This is why I say, Trust - But Verify...

"It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner." - Posted by Ryan Sleevi, Software Engineer at Google, Inc.