Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions
Showing posts tagged with SSL Certificates
Showing posts in English
FranRosch | 07 Sep 2011 | 1 comment

Since my last post, the effects of the recent DigiNotar breach have spread across the security industry. Many media outlets recently shared some of the names of the 531 fraudulent certificates created, including Google, Facebook, Skype, Microsoft, as well as each of the major certificate authorities. A hacker has claimed responsibility for the breach and claims to have breached some other Certificate Authorities as well. GlobalSign has ceased issuing certificates as it investigates whether or not it has been breached. Pundits are questioning the strength of SSL. Then, yesterday a Dutch government agency erroneously made a statement that Thawte had been breached. Although the statement was proven false and quickly...

AllenKelly | 01 Sep 2011 | 0 comments

On August 17th eWeek ran an article that described how improper SSL implementations can leave websites vulnerable to various cyber attacks.  While this story is spot-on, what is equally important to consider is the proper management of SSL Certificates. The mismanagement of SSL Certificates can lead to financial loss and lack of credibility for your organization.

One particular challenge that enterprises face can be having hundreds of SSL Certificates and no proper SSL Certificate management tool. The status of each certificate is usually tracked manually on a spreadsheet or through some other manual mechanism.  Manual mechanisms are prone to human error, and what’s more, data is difficult to track when IT personnel changes.  In addition, it isn’t unheard of for an SSL Certificate to expire in the middle of the...

FranRosch | 31 Aug 2011 | 0 comments

The Internet is buzzing with news of a recently compromised Certificate Authority (CA), DigiNotar, owned by VASCO Data Security International, Inc., possibly compromising a large number of consumers.

In July of this year an internal audit discovered an intrusion within DigiNotar’s CA infrastructure indicating compromise of their cryptographic keys. The breach of these keys resulted in the fraudulent issuance of public key certificates to a several dozen domains including the domain Shortly after the incident DigiNotar revoked all of the certificates in question, conducted an additional external security audit and then attempted to revoke outstanding certificates that were affected. As of July 19th, DigiNotar believed all fraudulent certificates were taken out of circulation by revocation.

Unfortunately this week it was found that there were still instances of fraudulent certificates still in circulation. On August 28, 2011 a false DigiNotar wildcard...

AllenKelly | 24 May 2011 | 0 comments

Yesterday, an independent researcher claimed in his blog to have successfully exploited vulnerabilities in the way LinkedIn handles and transmits cookies over SSL (see blog at According to the blog, one of the problems is the availability of cookies sent in plain text over unencrypted channels of communication, which is due to SSL cookies not having a secure flag set, as well as appearing to contain session tokens.

"An attacker may be able to perform a man in the middle (MITM) attack, and thus capture these cookies from an established Linkedin session." said the researcher.

This type of attack is similar to how Firesheep, a Firefox plug-in that was released in October 2010, enabled hackers to hijack information from other users on the same...

RyanWhite | 28 Apr 2011 | 0 comments

The Online Trust Alliance (OTA), one of the biggest proponents for Extended Validation SSL Certificates (EV SSL) in the security community, recently announced a new set of guidelines that any business or technical decision maker should consider within their security environments.

The guidelines, titled Security by Design, provides an outline for best practices regarding the treatment of consumer data. It explains that when collecting consumer data, businesses need to ensure they are protecting user data and avoiding any type of security incident breakdown---something we've seen frequently in recent weeks.

Here are the first 5 steps to Security by Design:

1. Create a cross-...

RyanWhite | 19 Apr 2011 | 0 comments

Browser root ubiquity is an important requirement when deciding on a Certificate Authority (CA) for your SSL Certificates. Many CAs claim 99% browser ubiquity but this claim does not mean that every certificate will activate without triggering a security warning in a browser. Newer or smaller CAs may not have had their roots included in the root store for some browsers This is especially an issue for older browsers.

VeriSign SSL does not have this issue. All browser manufacturers certainly remember to add VeriSign roots to their root store when new versions of that browser are released.

This is not the case, however, for every SSL Certificate vendor out there. In the past, some CA roots have been left out when a new browser version was released. If a CA's roots are not included in a browser's root store, unsightly error messages can occur -- messages that can motivate users to abandon that session. This leads to lost opportunities for sales and creates dissatisfied...

AllenKelly | 31 Mar 2011 | 0 comments

April Fool's Day is almost here. This annual celebration of silliness has endured largely because of trust - we all know who's playing the jokes on us and that those jokes will be harmless.
Unfortunately, this holiday also presents cyber criminals -- phishers, Web site spoofers and other scammers -- with a lure and smokescreen for their malicious attacks. These felons deliberately misrepresent themselves as legitimate organizations to gain unauthorized access to confidential or proprietary data. Their attacks are anything but playful and painless - rather, they can do incredible harm to industry, government and the citizens they serve.

To better protect the online community, the Online Trust Alliance (OTA) today released its 2011 Top 10 Recommendations to Help Businesses Protect Consumers From Being Fooled. OTA's recommendations provide a good cheat sheet of quick, effective...

AllenKelly | 23 Mar 2011 | 0 comments

This week Mozilla, Microsoft and Google all updated their browser blacklists to include a list of fraudulent SSL certificates issued for the following URLs:

These SSL certificates were issued by a Registration Authority (RA) affiliated with (and trusted by) Comodo, which claims that access to the RA was compromised and a user account was breached. They claim that this RA account was fraudulently used to issue 9 SSL certificates for the URLs above. They also claim that the attack originated from Iran.

Although these fraudulent certificates were revoked, many end users were still exposed to risk. Why? Because the technology that make sure revoked certificates are not mistakenly validated are either turned-off or entirely missing in some users' browsers...

Tim Callan | 19 Mar 2011 | 0 comments

Hello readers. Yesterday was my last day as a Symantec employee, and this entry is my last on Tim Callan's SSL Blog. After nearly seven years at VeriSign/Symantec I am moving on. The transition of the VeriSign authentication business since our acquisition in August 2010 has gone well, and with the approach of a new Symantec fiscal year, it's the right time for me to hand my responsibilities over to the going-forward team and find my own next adventure. I don't know right now what that adventure is, but if you're interested, just follow Tim Callan on Twitter, and I'll let you know. I also am authoring my own, personal blog, Tim Callan on Marketing and Technology, and I...