Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

See You, See Me: Certificate Transparency

November 20, 2017 by Marc Handelman in TLS, Information Security, Network Security, Certificate Authority, Certificates, Certificate Transparency

...and then there's this: Certstream, ostensibly, a near 'real-time' certificate transparency log stream (in this case an update stream that security engineers can plug-into their unholy workflow). Fundamentally, security administrators - through prudent autmomation - can take a gander at TLS/SSL certificates as those objects are issued in near 'real time' through the lens of Certstream. Really, a superb idea in the effort to afford transparecny to the entire arcane methodology that is SSL/TLS certification issuance. H/T

"Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:

  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. Certificate Transparency satisfies these goals by creating an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates." via.
November 20, 2017 /Marc Handelman
TLS, Information Security, Network Security, Certificate Authority, Certificates, Certificate Transparency

33c3, Martin Schmiedecker's 'Everything you always wanted to know about Certificate Transparency' β†’

January 26, 2017 by Marc Handelman in All is Information, Conferences, Certificate Authority, Information Security
January 26, 2017 /Marc Handelman
All is Information, Conferences, Certificate Authority, Information Security
1424449820415.png

Meanwhile, In Illicit SSL Certificate News... β†’

January 23, 2017 by Marc Handelman in Blatant Stupidity, Certificate Authority, Transport Layer Security

Blatant stupidity displayed by Symantec Corporation (NasdaqGS:SYMC) in the hotly-contested CA space is the topic of todays' how-not-to-do-business-in-the-technical-sector. Evidence published on Friday of last week, by Ars Technica Security Editor Dan Goodin points to illicit CA artifact issuance by the company. The discovery was made by a third party reseller monikered SSLMate. Read it and weep for the encrypted interwebs.

January 23, 2017 /Marc Handelman
Blatant Stupidity, Certificate Authority, Transport Layer Security

Symantec Certificate Authority Investigated β†’

November 05, 2015 by Marc Handelman in All is Information, Cryptography, Certificate Authority, Information Security, WebTrust

Google, Inc. (NasdaqGS:GOOG) has warned Symantec Corporation (NASDAQ:SYMC) of imposed requirements applied to the Symantec Certificate Authority due to apparent malfeasence in managing the company's Certificate Authority infrastructure and specifically Certificates issued without notifying the holders of same.

The implications of the action are range far both in scope (related to the specific certificates under scrutiny ("Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered. - posted by Ryan Sleevi, Software Engineer at Google, Inc.)), and in Google's efforts to enforce the WebTrust in the Digital Certificate realm. This is why I say, Trust - But Verify...

"It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner." - Posted by Ryan Sleevi, Software Engineer at Google, Inc.

November 05, 2015 /Marc Handelman
All is Information, Cryptography, Certificate Authority, Information Security, WebTrust

Google's first servers, exposed wiring, network cabling, et cetera.

Google Discovers Bad Certificate, CA Authority Nonfeasance

March 24, 2015 by Marc Handelman in All is Information, Information Security, Network Security, Certificate Authority

Via the Google Online Security Blog comes news of a nasty bit of work, and a serious breach of the CA process, read on (if you dare)...

Google Inc. (NasdaqGS: GOOG) Network Security managed to grab the brass ring, with it's discovery of a bad certificate issued by a Cairo, Egypt based network firm; thereby succesfully maintaining the chain of security for the search leviathan's digital certificates.

The discovery of the bad certificate also exposed evidence of nonfeasance at the CA, in this case the CNNIC whom had subrogated (via contract) rights to publish that cert on hardware (in this case a proxy device apparently utilized for MITM user data discovery by the owner of that proxy).

"On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC." - via Google Inc. Security Engineer Adam Langley on the Google Online Security Blog

March 24, 2015 /Marc Handelman
All is Information, Information Security, Network Security, Certificate Authority