Below we have a collection of Blog posts written by our in-house SSL/TLS and Security Experts, and also a collection of guest posters we invite every so often. In addition, you can find guides for installation and configurations, the best ways to secure your systems, fixes to common problems or updates to the industry.
It’s that time again. As protocols mature, inevitably security vulnerabilities lurking beneath the surface are uncovered by security professionals. The so-called “Racoon” vulnerability is unusual however in that it affects TLS 1.2, arguably the most secure version of SSL/TLS to be using today. Some sensationalists describe this as the “Heartbleed of 2020”, while other researchers contend that this vuln… [read more →]
To improve web PKI and security, Certificate Authorities (CA) will no longer be issuing SSL/TLS certificates with validity periods longer than one-year starting September 1, 2020. Initiated by Apple Safari and joined by Google Chrome and Mozilla Firefox, the new max validity period will be 398 days which is one-year plus a 33-day renewal grace period. The shortening of certificate validity… [read more →]
Certificate Cross-Signing is a nuance of PKI which is often poorly understood. This topic is particularly salient as of late, as a long-lived root certificate managed by Sectigo (formerly Comodo) expired, causing many unexpected problems for many legacy systems worldwide. But how can certificate expiration lead to service downtime? Who is responsible for being aware that this can happen? How can… [read more →]
SSL/TLS uses x509 certificates to secure digital communications. These certificates are bound to a particular DNS name, and signed by a Certificate Authority. Browsers attempt to validate the certificate by chaining back to a root certificate in its root certificate store. If a website does not have an SSL/TLS certificate installed that matches the DNS name by which it was accessed, it is an… [read more →]
On Friday February 28th, Let’s Encrypt made the tough decision to revoke over 3 million certificates they had issued due to a bug in the software they use to validate CAA records. This gave companies relying on Let’s Encrypt under a week to replace these certificates on their endpoints. While this procedure did not necessarily require downtime (depending on the specific server configuration) it did… [read more →]