Certificate Authorities

(get it in RSS or Atom)

Microsoft leads the way, setting new cryptographic defaults


Microsoft is upping its game with regards to cryptographic standards. By discontinuing support for the older, weak RC4 cipher and putting Certificate Authorities on note to migrate to SHA-2, it seems to be leading the way to be ready for the future, rather than reacting.

Turkish Certificate Authority screwup leads to attempted Google impersonation


Another Certificate Authority has been caught out having issued certificates that were being used to impersonate Google. Does the SSL padlock not mean we are safe anymore?

SSL certificate safety bolstered by standards that lessen dependence on CAs

SSL certificate safety bolstered by standards that lessen dependence on CAs

Two new proposals have been submitted to the IETF attempting to fix some of the trust problems inherent in the current SSL certificate system used to secure our online communications.

Google and EFF propose improvements to HTTPS as GlobalSign releases CA breach report

GlobalSign gives itself clean bill of health after Iranian hacker's braggadocio

GlobalSign released their report on security incident the certificate authority suffered earlier this year. They're clean, but that doesn't take the spotlight off of the need for a fix to the SSL certificate trust system that is in place.

Another certificate authority issues dangerous certficates


Mozilla has revoked the signing privileges of another certificate authority for issuing weak and incomplete SSL/TLS certificates.

End of the road for DigiNotar as bankruptcy declared


DigiNotar, the Dutch certificate authority which hackers compromised and used to generate hundreds of bogus web security certificates, has filed for bankruptcy.

Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable


Microsoft has permanently revoked all five certificates belonging to DigiNotar for Windows users. In addition to Windows 7 and Vista the new release also provides protection for users of Windows XP. Users of Windows should check for updates and apply this patch as soon as possible.

Operation Black Tulip: Fox-IT's report on the DigiNotar breach


A preliminary report was released today by Fox-IT, the security team investigating the attack against certificate authority DigiNotar. Many interesting details are included about the hack, including more indications that it primarily affected Iranian users.

SSL certificate debacle includes CIA, MI6, Mossad and Tor


Over 500 falsely signed certificates have now been identified and browser makers are permanently removing DigiNotar as a trusted certificate authority. The targeted organizations are far reaching including the CIA and MI6.

Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?


Google has blacklisted over 200 certificates seemingly related to the DigiNotar hacking incident. What is the full extent of this breach, and who else may have been targeted?

Falsely issued Google SSL certificate in the wild for more than 5 weeks

Close-up of a lock icon on a computer keyboard button.  Blue-toned.

A rogue certificate was found in the wild more than a month after it was issued allowing someone to masquerade as SSL enabled Google services. Where did this certificate come from, who was using it and what can you do to protect yourself?

DEFCON 2011: SSL and the future of authenticity


Moxie Marlinspike proposed a solution to the ongoing trust problems in the SSL protocol. Marlinspike's solution, Convergence, uses a series of notaries to provide a framework for detecting man-in-the-middle attacks while eliminating the need to purchase digital certificates or rely on certificate authorities.