16 InfoSec Courses, 2 Weeks of Training at SANS Virginia Beach 2018. Save $200 thru 7/25.

SANS Security Trend Line

Twelve Word Tuesday: All I Want for Christmas Is a Meaningful SSL Certificate

SSL certificates today are to security as balsa wood is to strength.

(New Microsoft advisory for unauthorized SSL certificate issuance reported yesterday by Google.)


Posted December 17, 2013 at 4:50 PM | Permalink | Reply

Marc Kolenko

So I think the real issue around SSL encryption techniques, certificate issuance and ked distribution mechanism is the validity of the certificate based on whos authorized to create and disseminate them not just the Certificate Authority (CA) role or function. SSL/HTTPS is pretty fundamental to most web-based transactions, thus not going away any time soon. Maybe certificate and key creation need to be done in whats the equivalent of a foundry protected by hardware roots of trust, attestation or something analogous to Permissive Action Link (PAL), i.e., the 2-man rule. Authentic certificates, and associated private keys need to be better protected as well thinking out loud here there are good examples of this emerging in the CSP space Thales comes to mind combined with Microsoft Rights Management server

Posted December 19, 2013 at 11:19 AM | Permalink | Reply

John Pescatore

The CA plays a pretty important role in making sure that a certificate is only issued to the appropriate/legitimate/valid person/organization ''" that's the registration function. Unfortunately, the SSL certificate industry has focused mostly on reducing the cost of registration vs. increasing the rigor ''" despite efforts like Extended Validation certs.

Post a Comment


* Indicates a required field.