22. April 2011 · 1 comment · Categories: blog · Tags:

First let me amend a comment I made in my last post, How is SSL hopelessly broken. I said that browsers need to alert users about which type of SSL Certificate a web site is using. Actually browsers do alert you to when an Extended Validated (EV) Certificate is being used by turning all or a portion of the displayed URL green. Here are Paypal examples using Firefox and Internet Explorer (via Netcraft):

However the rest of my recommendation stands because the browsers do not provide any positive indicator of Organization or Domain Validated Certificates.I  recommend Yellow for DV and OV certs indicating caution.

Second, Netcraft just published a survey showing that EV Certs represent only 2.3% of all sites tested. Of the 1,000 highest traffic sites, 81 accepted HTTPS and “nearly a third of these certificates used Extended Validation.”

The good news is that the use of EV certs is growing:

 

12. April 2011 · Comments Off on How is SSL hopelessly broken? Let us count the ways • The Register · Categories: blog · Tags: , ,

How is SSL hopelessly broken? Let us count the ways • The Register.

Excellent article discussing the flaws in SSL – mostly problems with Certificate Authorities.The Comments are also worth reading.

However, the deeper problem is that most end users don’t understand the three types of certificates – Domain Validated, Organization Validated, and Extended Validated.

Browsers need to alert consumers to the three types and indicate the low level of trustworthiness of DV certs, Consumers would begin to shy away from sites using DV certs. This would push web sites to use OV and EV certs. Without this, web sites are going to continue to use DV certs.

While this won’t solve all of the SSL problems Dan Goodin identified, I think it would be a big improvement.

03. April 2011 · Comments Off on Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com · Categories: blog · Tags: , , , ,

Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com.

Epsilon’s breach is the latest in a string of breaches at Email Service Providers. The ESPs respond by saying it’s only email addresses. However, RSA’s latest update on its SecureID breach said it was started with a spear phishing attack.