Miscreants Manipulate Mimecast Certificate -> Microsoft 365 Exchange Web Services: Welcome To The Pew Pew

January 13, 2021 by Marc Handelman in Certificates, Certificate Theft, Certificate Manipulation, Information Security, Cyber Miscreants

In regards to connectivity to the security black hole, also known as Microsoft Corporation's Office 365. Microsoft Corporation claims nothing to see here.

'Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to remediate the issue. As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning.' - via Mimecast et al.

Apple Harshes Cumulative Mellow: Enforces Unilateral TLS Certificate 13 Month Time Limit In Safari Web Browser

February 28, 2020 by Marc Handelman in Harsh The Mellow, Network Security, TLS, Information Security, Certificates

Is it possible this is just an effort at redirection? Maybe (OK, it's a thin argument I'll admit, but stick around, it may prove to be interesting or funny or maybe both) to take our scrutiny off the on-going skirmishing between the United States DOJ foolish anti-encryption effort against Apple Inc.'s (NASDAQ: AAPL) encrypted bit-buckets? After all, in 2018 the Certification Authority Browser Forum (the CA/Browser Forum) managed to hammer out a deal to move the timeline to 2 years, so 13 months is not as bizarre a tightening of the lasoo as many reckon. You be the judge - and in the meantime, check out Richi Jennings take (and others very amusing responses as well) regarding this issue at Security Boulevard.

EV Cert Abuse, The Litany →

December 14, 2017 by Marc Handelman in Information Security, Certificates

Catalin Cimpanu, writing expertly at Bleeping Computer, tells the tale of Extended Validation (EV) Certificates abuse and the tremendously negative output. Today's Must Read.

See You, See Me: Certificate Transparency

November 20, 2017 by Marc Handelman in TLS, Information Security, Network Security, Certificate Authority, Certificates, Certificate Transparency

...and then there's this: Certstream, ostensibly, a near 'real-time' certificate transparency log stream (in this case an update stream that security engineers can plug-into their unholy workflow). Fundamentally, security administrators - through prudent autmomation - can take a gander at TLS/SSL certificates as those objects are issued in near 'real time' through the lens of Certstream. Really, a superb idea in the effort to afford transparecny to the entire arcane methodology that is SSL/TLS certification issuance. H/T

"Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:

Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.

Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.

Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. Certificate Transparency satisfies these goals by creating an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates." via.