Thickening Digital/SSL Certifications (mini-whitepaper)

English: A candidate icon for Portal:Computer ...

Current malware trends seem to be focusing on certificate stealing by forgery. Certificate forgery is one of the current plaguing problems since 2011. Ever since last year, CAs have shown high risk issues for certificate forgery. From Stuxnet to Flame, certificate forgery has been on the rise big time.

Normally, web browsers and operating systems keep a copy of a certificate and “pin it” to an identity called a Public Key. So, as Microsoft knows this issue, they have issued their own Automatic Revocation Updater (Win. Vista SP2+). Through this, Windows is able to specifically flag certain certificates that are known to be malicious.

How Microsoft trusts RSAs, certificates, etc.:

“Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat landscape continues to evolve.  As such, we are further hardening our criteria for the RSA algorithm with key length less than 1024 bits. To further reduce the risk of unauthorized exposure of sensitive information, Microsoft has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2,” Hudson  said.

Now, top CA companies for online certificates, including Comodo, NGINX, GlobalSign, DigiCert, etc., have enhanced online revocation systems to check for malicious attempts in certification.

NGINX provides an explanation:

Today GlobalSign, DigiCert, Comodo and Nginx Inc. announced a joint effort and a sponsored development contract, to enhance the NGINX open source Web server to support OCSP-stapling. This collaboration further advances the SSL ecosystem by improving the privacy, reliability and revocation checking for all websites using the NGINX web server—currently run by more than 25 percent of the top 1,000 websites, and by 70,000,000 websites on the Internet overall.

“The team at NGINX is delighted that GlobalSign, DigiCert and Comodo support the OCSP stapling enhancement to the NGINX webserver,” said Igor Sysoev CTO and principal architect at NGINX, “We have been continuously working on enhancements to NGINX that increase performance, reliability and security. With improved SSL functionality we expect the vast majority of our customers to share our enthusiasm for increased safety on the Internet.”

Continued here

Now, if it’s all the same to you, an alternative system, like Convergence, is in order. This is a good replacement for certificates for online. See this link for more info.

See more good reading below…

Avoid troubles with malware entirely by purchasing Malwarebytes’ Anti-Malware.

Tags: , , , , , , , , , , , , ,

About Dr Jay


Trackbacks / Pingbacks

  1. September Patch Tuesday 2012 updates « seCURE Connexion - September 12, 2012
%d bloggers like this: