Featuring 8 Papers as of January 24, 2017
Superfish and TLS: A Case Study of Betrayed Trust and Legal Liability STI Graduate Student Research
by Sandra Dunn - January 24, 2017
Superfish, the bloat adware included in Lenovo consumer laptops from 2014-2015 which intentionally broke TLS, exposed user's personal data to compromise and theft, and altered search result ads in user's browsers severely impacted Lenovo brand reputation. There have been other high profile cases of intentionally modifying and breaking TLS that used questionable and deceptive practices but few that generated as much attention and provide such a clear example of a chain of missteps between Lenovo, Superfish, and their customers. A case study of the Superfish mishap exposes the danger, risk, legal liability, and potential government investigation for organization deploying TLS certificates and keys that breaks or weakens the security design and puts private data or people at risk. The Superfish case further demonstrates the importance of a company's disclosure transparency to avoid accusations of deceptive practices if breaking TLS is required to protect users or an organization's data.
The Scary and Terrible Code Signing Problem You Don't Know You Have STI Graduate Student Research
by Sandra Dunn - October 28, 2015
SSL 3.0 / TLS 1.0 certificates are built on the X.509v3 PKI standard and provide the framework that the code signing process uses. Code signing uses PKI and X.509v3 certificates issued by a trusted certificate authority to validate that the code being installed on a device comes from a trusted vendor.
Implementing Public Key Infrastructure (PKI) Using Microsoft Windows Server 2012 Certificate Services by Michael Naish - September 16, 2014
Public Key Infrastructure (PKI) can be distilled into two critical parts: a public and a private key.
Building and Managing a PKI Solution for Small and Medium Size Business STI Graduate Student Research
by Wylie Shanks - December 23, 2013
The use of Public Key Infrastructure (PKI) can be an effective way to meet business, regulatory, and compliance requirements.
Who do you trust? by Matthew Luallen - August 3, 2011
While certificates have their uses in a security regimen, they are not a bullet-proof method to ensure the authenticity of software, a person, or communications.
What Secure Site Seals Mean to Consumer by Kwok Chan - October 2, 2002
We definitely trust brandname and is the key to locate the merchant in the great internet world of web sites.
Security Alert: Fraudulent Digital Certificates by Ferdinand Gomes - June 7, 2001
Digital certificates are critical for businesses and customers who download patches, updates and various other forms of software from the Internet.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.