SSL Internet Security Resources -- March 23, 2017

New gTLDs White Paper

New gTLDs and Their Impact on Your SSL Certificates

July 2013 - The latest white paper from DigiCert discusses the impact new generic Top-Level Domains (gTLDs) may have on your new and existing SSL Certificates. New gTLDs will theoretically increase consumer choice through greater competition among registry service providers. It is worthwhile to consider whether it might be in the best interest of your own organization to apply for a new gTLD of your own.

Read the White Paper.

DigiCert Security Case Study

Wikimedia Foundation Partners with DigiCert for Strong Security, Streamlined Management in New Case Study

May 8, 2012 - In a new security case study from DigiCert and the Wikimedia Foundation, Wikimedia partnered with DigiCert to protect Wikipedia and 10 sister sites across all language sites and mobile properties using DigiCert’s enterprise managed PKI services. See how Wikimedia's partnership with DigiCert helped them increase security and facilitate SSL management.

Read the Case Study.

Security and Encryption in Education White Paper

DigiCert Presents Information for Educational Institutions in New Education White Paper

October 13, 2009 - DigiCert presents our new Education White Paper. Now that academic registration, application materials, and grades are submitted and recorded over open networks, better security measures are needed. The Family Educational Rights and Privacy Act (FERPA) prohibits educational institutions from disclosing certain sensitive "personally identifiable education information" and gives parents the right to receive access to their children's education records. The U.S. Department of Education has recommendations for data breach situations.

Read the White Paper.

Phishing and Preventative Measures White Paper

Outline for Preventative Measures that Can Be Taken to Reduce The Effectiveness of Online Phishing Attacks

June 12, 2009 - A new Phishing and Preventative Measures White Paper outlines steps that can be taken to prevent online fraud.

Phishing is just one of the many ways that the Internet can be used to get people to unknowingly provide their personal financial information to fraudsters. Phishing often targets and leverages the trusted brands of well-known entities like banks, payment services, social networking sites, and other places where users are likely to have an online account. Certificate Authorities, like DigiCert, rely on the contact information maintained by domain registrars to determine domain ownership and avoid issuing certificates to fraudulent sites.

Read the White Paper.

PCI Compliant SSL Certificate Encryption

DigiCert Outlines PCI Compliance in New White Paper

March 16, 2009 -- Server security certificates from DigiCert help satisfy PCI-DSS (Payment Card Industry Data Security Standard) compliance requirements with strong SSLv3 capable certificates. Protection and encryption of cardholder data (such as that provided by SSL/TLS) is required by PCI-DSS Control Objectives.

Find out more about how DigiCert can help you pass the PCI Compliance Audit with our new PCI compliance white paper.

Read the White Paper.

DigiCert EV SSL Certificates Protect Users From SSLstrip and Man-in-the-Middle Attacks

SSL Certificate Authority Answers New Digital Threats Presented at Black Hat Conference

LINDON, Utah, Feb. 19 -- On Wednesday, February 18 at the Black Hat conference inWashington, D.C., an independent hacker known as Moxie Marlinspike presented a software tool called SSLstrip designed to remove the SSL protection from websites using advanced man-in-the-middle attack methods. DigiCert, a major worldwide provider of SSL Certificates, replied that Extended Validation (EV) SSL Certificates help users to recognize and steer clear of such attacks.

Marlinspike demonstrated how the SSLstrip program can intercept connections between a web browser and a trusted website, then serve the web browser the contents of the trusted site without trusted SSL encryption. The webpage could potentially be loaded unsecured (http) or spoofed with a low-assurance SSL certificate on a fraudulent domain name, similar to a phishing attack. Therefore, it is possible that the pages would still load with a padlock in the browser. SSLstrip could potentially be effective at stealing sensitive information including usernames, passwords, or credit card information in situations where man-in-the-middle attacks are possible such as in Onion Routing configurations and Wi-Fi networks. Read more...

MD5 Certificate Vulnerability

SSL Certificates With MD5 Cryptographic Standards Considered Insecure - All DigiCert Customers Unaffected.

January 5, 2009 -- On December 30, 2008 a group of security researchers reported that by exploiting a known weakness in the MD5 hashing algorithm, they were able to create a rogue intermediate CA certificate under the "Equifax Secure Global eBusiness CA-1" root certificate, belonging to GeoTrust's RapidSSL brand.

Because all certificates issued by DigiCert use the SHA-1 standard, we are happy to reassure all our past, present, and future customers that these findings do not present any reason for them to worry about the integrity of their DigiCert SSL certificates. The fact that DigiCert uses SHA-1 instead of the outdated MD5, along with various other internal controls, makes the attack by the MD5 researchers impossible. Read more...