Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

Apple Harshes Cumulative Mellow: Enforces Unilateral TLS Certificate 13 Month Time Limit In Safari Web Browser

February 28, 2020 by Marc Handelman in Harsh The Mellow, Network Security, TLS, Information Security, Certificates

Is it possible this is just an effort at redirection? Maybe (OK, it's a thin argument I'll admit, but stick around, it may prove to be interesting or funny or maybe both) to take our scrutiny off the on-going skirmishing between the United States DOJ foolish anti-encryption effort against Apple Inc.'s (NASDAQ: AAPL) encrypted bit-buckets? After all, in 2018 the Certification Authority Browser Forum (the CA/Browser Forum) managed to hammer out a deal to move the timeline to 2 years, so 13 months is not as bizarre a tightening of the lasoo as many reckon. You be the judge - and in the meantime, check out Richi Jennings take (and others very amusing responses as well) regarding this issue at Security Boulevard.

February 28, 2020 /Marc Handelman
Harsh The Mellow, Network Security, TLS, Information Security, Certificates

USENIX Enigma 2019, Daniel Zappala's 'Using Architecture And Abstractions To Design A Security Layer For TLS' →

September 12, 2019 by Marc Handelman in USENIX Enigma 2019, Security Architecture, Information Security, TLS, Education, Conferences

Thanks to USENIX for publishing the USENIX Enigma 2019

outstanding conference videos on their YouTube Channel

September 12, 2019 /Marc Handelman
USENIX Enigma 2019, Security Architecture, Information Security, TLS, Education, Conferences

ShowMeCon 2019, John Wagnon's 'TLSv1.3: Minor Version, Major Changes' →

July 11, 2019 by Marc Handelman in ShowMeCon, Irongeek, Information Security, TLS, Education, Conferences

Videography Credit: Irongeek (Adrian Crenshaw, et al.)
Please visit Irongeek for additional videographer credits and important information. Enjoy!

July 11, 2019 /Marc Handelman
ShowMeCon, Irongeek, Information Security, TLS, Education, Conferences

TLS 1.3 Final Finalized, Finally

August 15, 2018 by Marc Handelman in ISOC, Infosec Policy, IETF, TLS

Truly astonishing the length of time our beloved (Hmmmmmm) IETF takes to remediate the suborg's own bad decisions with a stop-gap measure...

August 15, 2018 /Marc Handelman
ISOC, Infosec Policy, IETF, TLS

The Forward Secrecy Chronicles, TLS 1.3 Hath Garnered Favor →

April 02, 2018 by Marc Handelman in TLS, Information Security, ISOC, IETF, Network Security, Network Protocols

Good news for mankind (and their AI minions) traversing the web's winding corridors of nattering decreptitude and bubbling evil, Transport Layer Security 1.3 has won approval by the Gods of the IETF, with narry a bleat of negativity. Rejoice!

April 02, 2018 /Marc Handelman
TLS, Information Security, ISOC, IETF, Network Security, Network Protocols

See You, See Me: Certificate Transparency

November 20, 2017 by Marc Handelman in TLS, Information Security, Network Security, Certificate Authority, Certificates, Certificate Transparency

...and then there's this: Certstream, ostensibly, a near 'real-time' certificate transparency log stream (in this case an update stream that security engineers can plug-into their unholy workflow). Fundamentally, security administrators - through prudent autmomation - can take a gander at TLS/SSL certificates as those objects are issued in near 'real time' through the lens of Certstream. Really, a superb idea in the effort to afford transparecny to the entire arcane methodology that is SSL/TLS certification issuance. H/T

"Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:

  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. Certificate Transparency satisfies these goals by creating an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates." via.
November 20, 2017 /Marc Handelman
TLS, Information Security, Network Security, Certificate Authority, Certificates, Certificate Transparency

TLS-N, The Sharing →

October 30, 2017 by Marc Handelman in Information Security, Network Security, TLS

News (HatTip) of TLS-N, the new extension to Transport Layer Security that ostensibily permits both Non-Repudiation and Secure Data Sharing (think Blockchain smart contracts data sharing). The organization's whitepaper detailing TLS-N is today's Must Read artifact. Outstanding.

October 30, 2017 /Marc Handelman
Information Security, Network Security, TLS

USENIX Enigma 2017 — Emily Schechter's 'Inside 'MOAR TLS...' →

August 29, 2017 by Marc Handelman in All is Information, Conferences, Education, TLS, Network Security, Information Security, USENIX
August 29, 2017 /Marc Handelman
All is Information, Conferences, Education, TLS, Network Security, Information Security, USENIX

Jack's Right →

April 13, 2017 by Marc Handelman in All is Information, Common Sense, Transport Security, Transport Layer Security, TLS, Web Security, Network Security

Of course he is; and why wouldn't he be? Just plain old common sense, dammit. Read his superlatively on-target post, and you'll understand exactly why - in fact - Jack is right.

April 13, 2017 /Marc Handelman
All is Information, Common Sense, Transport Security, Transport Layer Security, TLS, Web Security, Network Security