Archive for the ‘digital Certificate’ Category

A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates

March 12th, 2019
A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates

Enlarge (credit: Internet1.jpg by Rock1997 modified)

A major operational error by GoDaddy, Apple, and Google has resulted in the issuance of at least 1 million browser-trusted digital certificates that don’t comply with binding industry mandates. The number of non-compliant certificates may be double that number, and other browser-trusted authorities are also likely to be affected.

The snafu is the result of the companies' misconfiguration of the open source EJBCA software package that many browser-trusted authorities use to generate certificates that secure websites, encrypt email, and digitally sign code. By default, EJBCA generated certificates with 64-bit serial numbers, in keeping, it seemed, with an industry mandate that serial numbers contain 64 bits of output from a secure pseudo-random number generator. Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer. As a result, the EJBCA default produced a serial number with 63 bits of entropy.

The 63 bits is far off the mark of the required 64 bits and, as such, poses a theoretically unacceptable risk to the entire ecosystem. (Practically speaking, there’s almost no chance of the certificates being maliciously exploited. More about that later.) Adam Caudill, the security researcher who blogged about the mass misissuance last weekend, pointed out that it’s easy to think that a difference of 1 single bit would be largely inconsequential when considering numbers this big. In fact, he said, the difference between 263 and 264 is more than 9 quintillion.

Read 11 remaining paragraphs | Comments

Posted in Biz & IT, digital Certificate, TLS, transport layer security | Comments (0)

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

January 23rd, 2019
The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with "

Posted in certificate authority, certificate transparency, Cyber Attack, DHS, digital Certificate, DNS hijacking, dns security, DNS server, Government, Homeland Security, HTTPS, website security | Comments (0)

Critical DoS Flaw found in OpenSSL — How It Works

September 23rd, 2016

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well

Posted in ddos attack, denial-of-service attacks, digital Certificate, dos attack, hacking news, OpenSSL, OpenSSL vulnerability, SSL Certificate, Vulnerability | Comments (0)

Chinese Certificate Authority ‘mistakenly’ gave out SSL Certs for GitHub Domains

August 29th, 2016

A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain.

The certificate authority, named WoSign, issued a base certificate for the Github domains to an unnamed GitHub user.

But How? First of all, do you know, the traditional Digital Certificate

Posted in certificate transparency, digital Certificate, free ssl certificate, GitHub, SSL Certificate, ssl security, website security | Comments (0)

What is Certificate Transparency? How It helps Detect Fake SSL Certificates

April 11th, 2016

Do you know there is a huge encryption backdoor still exists on the Internet that most people don’t know about?

I am talking about the traditional Digital Certificate Management System… the weakest link, which is completely based on trust, and it has already been broken several times.

To ensure the confidentiality and integrity of their personal data, billions of Internet users blindly

Posted in certificate authority, certificate transparency, certificate transparency logs, digital Certificate, Digital Certificate Manager, forged SSL certificates, HTTPS, Lets Encrypt, SSL encryption | Comments (0)