Our latest “Ask Erik” question involves understanding what email headers save about secure message transport … especially when they list MAPI or HTTPS instead of TLS.
Read the rest of this post »
The web has reached the tipping point where encrypted traffic – connections protected by HTTPS, which is HTTP over SSL/TLS – has overtaken unencrypted (HTTP) traffic. There are many reasons for this change, variously called HTTPS Everywhere or Always-On SSL, which we described in a previous FYI blog post. While this move certainly improves the security and privacy of interactions on the web, there still remains the Achilles’ heel of this ecosystem – the problem of mis-issuance of cryptographically legitimate certificates to rogue site operators. This blog post describes recent steps taken to guard against such occurrences, using techniques which can raise the necessary alarms before much harm propagates.
The Achilles’ heel of internet security is the mis-issuance of cryptographically legitimate certificates to rogue site operators.
The entire edifice of SSL/TLS-based security rests on certificates issued to the legitimate operators of websites, so that browser indicators (the secure lock icon, for example) based on various cryptographic checks can reassure users that they are communicating with their intended destination. Mis-issued certificates, whether available through lax procedures at a certificate authority (CA) or by a malignant act, removes that critical trust. A browser’s cryptographic checks cannot distinguish a duly-vetted legitimate server from a man-in-the-middle that has improperly obtained a cryptographically valid certificate. The latter might arise owing to the (mis)placed trust in a compromised root CA embedded in the browser or one issued by a corrupted intermediate CA that is in a legitimate chain of trusted certificates. This is, for example, why Google is reducing trust in SSL certificates issued by Symantec and why even Microsoft is the latest and last browser vendor to no longer going to trust anything issued by the WoSign/StartCom certificate authorities.
Some CAs make mistakes and fix them; some have a habit not well controlling certificate issuance. This seriously damages our trust in a secure internet.
Read the rest of this post »
We’ve written quite a lot in past FYI Blog posts about SSL/TLS certificates, the critical building block to secure communication on the Internet. We described what such certificates were, their use in securing the communications channel between a client (browser) and a server, different types of certificates and the pros and cons of using each.
Given the changes in the Internet landscape over the past five years, we feel it is time to revisit these topics. The technical details described in the earlier posts remain unchanged. What has changed, though, are the traffic patterns for HTTPS-based communications, additional vulnerabilities arising as a consequence and ways to mitigate these. This post will provide a general overview of certain changes in the Internet landscape over the past few years, while subsequent blog posts will describe some of the topics identified here in greater detail.
Read the rest of this post »
Website forms are ubiquitous. Every site needs them to engage visitors, collect information, makes sales, etc. They are easy to add to your site but not necessarily easy to do right.
There are plenty of free or cheap tools for creating web forms, but these tools may cause serious issues:
All of these problems impact the success of your site — causing everything from annoyance to the inability to contact your sales leads to breaches of privacy. Fortunately, it is not hard to plug these gaps and have a solid, productive, and secure web form.
Read the rest of this post »
SSL certificates are pervasively used on the Internet for securing all the data sent between servers, devices, clouds, phones, computers, etc. SSL certificates are intrinsic in the encryption of communications using “SSL and TLS” (how do these work? What is the difference?) — you can’t have secure communications without them!
In this article, we answer many common and not-so-common questions about SSL certificates.
Read the rest of this post »
