After over a year of effort, Ballot SC3 was just unanimously passed by the CA/Browser Forum. This is the first major upgrade to the Network and Certificate System Security Requirements to come out of the Forum’s Network Security Working Group. It contains several important improvements, but one is especially important: removing the requirement that passwords […]
Enterprise Security
Assessing the London Protocol
The London Protocol was originally proposed as a potential joint effort by CA Security Council members to combat phishing. All large commercial CAs revoke certificates for phishing websites when they are brought to their attention, but they do not proactively monitor their customers sites, and generally do not share information about misuse of certificates with […]
Deprecating TLS 1.0 & 1.1
There are currently three versions of the TLS protocol in use today: TLS 1.0, 1.1, and 1.2. TLS 1.0 was released in 1999, making it a nearly two-decade-old protocol. It has been known to be vulnerable to attacks—such as BEAST and POODLE—for years, in addition to supporting weak cryptography, which doesn’t keep modern-day connections sufficiently […]
HTTPS-Only Features in Major Browsers
You may not know this little fact: certain browser features require HTTPS to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS. We often talk about the benefits to the user experience and website reputation by adopting HTTPS, but being […]
2 Challenges Health IT Still Faces
Let the National Health IT Week parties commence! But, before we do, let’s reflect on the progress and growth the industry has seen over the last decade. The Background & Growth of Health IT When I began my career in healthcare 12 years ago at the US Department of Health and Human Services (HHS), the […]
Prepare Now for General Data Protection Regulation or Be Ready to Pay Fines
The new European Union General Data Protection Regulation (GDPR) deadline is May 25, 2018, and despite that date quickly approaching, research shows many companies still aren’t ready. If they remain non-compliant, companies will face a fine up to 4 percent of annual turnover or €20 million (whichever is greater) per breach or issue related to […]
How to Build a PKI That Scales: Hosted vs. Internal [SME Interview]
In our previous interview with Darin Andrew, Senior PKI Architect at DigiCert, we discussed the differences between public and private PKI. We established that most enterprises use a hybrid PKI solution. That said, you have two options for implementing your private PKI: (1) use a hosted solution from a certificate authority (CA) or (2) build […]
Advancing the Goal of Automated PKI for More Secure DevOps
This new partnership will accelerate development, increase the speed of innovation, and ensure continuous delivery of certificates for DevOps environments.
OpenSSL Patches “Critical” & “Moderate” Security Vulnerabilities
The “critical” vulnerability introduced in OpenSSL 1.1.0a does not affect SSL/TLS Certificates but admins should still patch their OpenSSL framework as soon as possible.