Security industry insiders sometimes use the phrase "crypto agility." In this episode our hosts define crypto agility - or cryptographic agility. They explain why crypto agility is more important than ever, why the pace of cryptographic change is going up, and what certificate subscribers can do to improve their crypto agility.
As part of its quantum safe initiative, Sectigo is now offering its Quantum Safe Kit, which enables the creation of hybrid TLS certificates. In this episode our hosts are joined by guest Alan Grau to explain what hybrid certificates are, how they are essential to transitioning to quantum-safe crypto, and the ways enterprises can begin using them today.
This year the CA/Browser Forum has put considerable discussion into the concept of "default deny." It's a philosophy for how to interpret potential ambiguities in existing guidelines for public certificates, and how you land on the default-deny question can have a significant impact on how you interpret the rules. Join our hosts as they describe this debate and its potential impact on public certificates.
Ripple20 is a recently announced set of documented vulnerabilities in the early Treck TCP/IP stack, a popular choice for early IoT devices. Our hosts are joined by guest Alan Grau, who explains the significance of these vulnerabilities, the difficulties in dealing with them, and how we can improve to avoid these problems in the future.
Accelerated Mobile Pages, or AMP, is a Google standard for packaging web content for consistent and usable display on mobile devices. SXG certificates enable the display of the original publisher's authenticated URL in the mobile reader. Join us as we explain the potential benefits of SXG to readers and content publishers.
Quantum computers' threat to standardized encryption algorithms RSA and ECC has been much discussed. But what about our hashing algorithms? Do quantum computers pose a similar threat to SHA-2? Join our hosts as they discuss the difference between Shor's Algorithms and Grover's Algorithm, which applies to each part of cryptography, and how significant quantum computing will be for each.
Certificate pinning is the practice of coding software to demand the presence of a specific certificate brand or root in order to function correctly. Though once considered a legitimate security option, certificate pinning is widely discredited because it carries unacceptable certificate agility costs. Join our hosts as they explain what certificate pinning is, how it came about, and why nearly all developers should avoid certificate pinning today.
For more than a year Sectigo has been providing the market with information to understand what we all must do to change our cryptography to prepare for quantum computers. Now Sectigo has announced Sectigo Quantum Labs, a destination for education on quantum-safe certificates (QSC) and our Quantum-Safe Kit, which allows enterprises to create their own hybrid quantum-safe certs. Join us as we articulate what Sectigo Quantum Labs has to offer you.
Distributed data centers are extremely common in today's computing environments. Unencrypted replication of data across these centers leaves data open to theft. Nonetheless, existing systems and software leave that possibility open, and sometimes data replication occurs in the clear. Our hosts explain how this situation can come about and what to do about it.
When you obtain an SSL certificate, you can choose between single-domain, multi-domain, and wildcard certificates. Join our hosts as they explain the different domain spaces available with TLS certificates and the pros and cons of each approach.
SMS-based one time password (OTP) is a very commonly used form of multi-factor authentication (MFA). That's because it's fast and inexpensive to roll out to users. Unfortunately it is deeply vulnerable to a set of well-defined attacks. In this episode our hosts explain why SMS MFA became so popular and how this outdated MFA scheme fails to provide the security expected by those who use it.
Root expirations occasionally make headlines by breaking systems, but it's a fact that certificates are expiring every day, each a potential outage waiting to happen. So why do certificates expire in the first place? Join our hosts as they discuss the reasons for expiration, its advantages over other mechanisms like revocation, and the right amount of time for a certificate to last.
ETSI has published its new Baseline Requirements for consumer IoT device security, which includes a number of provisions directly related to encryption, strong identity, and device software integrity. Join our hosts as they describe the PKI-related portions of the new ETSI requirements and why they are valuable for security.
A recently identified and widespread configuration error has created a situation where, with the wrong attack on certain public roots, certificates could become essentially unrevokable. As a consequence, 14 public CAs will have to revoke their OCSP certificates, many of which are also intermediates, and permanently discontinue use of their keys. That leaves millions of active TLS, S/MIME, code signing, and document signing certificates in need of immediate replacement or they will be distrusted....
Many people know that TOR is a browser used for anonymous online activity, but most of us don't know much more than that. In this episode our hosts explain how the TOR network operates, what its potential value is, and how TOR compares to a VPN.
Our hosts often discuss the idea of errors in PKI implementations and the potential negative consequences for organizations. In this episode they categorize twenty-one PKI pitfalls to avoid according to five main categories of error: certificate problems, deployment problems, systemic security problems, governance problems, and visibility problems. Join us for a crisp description of these twenty-one pitfalls so you can be on the lookout for them.
The need to suddenly enable nearly 100% of information workers for secure, productive work-from-home was a curve ball for IT departments to deal with around the world. Sectigo recently released the results of a commissioned survey of 500 IT professionals about the impact of widespread WFH requirements on IT departments, roadmaps, security, and employee productivity. In this episode our hosts go over the biggest findings from this study.
A newly proposed US Senate bill called the Lawful Access to Encrypted Data Act would require service providers and device manufacturers to provide access to encrypted data based on a valid warrant. In this episode our hosts explain the bill's contents and some of the opportunities and pitfalls it presents.
Google has just announced the coming availability of end-to-end encryption for its chat service. In this episode our hosts describe the spectrum of potential protection within the capabilities we call end-to-end encryption, including forward secrecy and durability of keys.
Once widely used, SHA-1 is considered insecure today and has been deprecated from the most common PKI use cases. OpenSSH recently provided a roadmap to its eventual deprecation of SHA-1. Join our hosts as they discuss the long, complex process of sunsetting a widely used cryptographic practice, the factors that contribute to these practices continuing beyond their secure lifespans, and the importance of crypto agility.
The recent expiration of Sectigo's AddTrust legacy root caused some systems to stop working and forced some admins to keep working over the weekend until all was fixed. In this episode we explain roots, root expirations, why they are a non event for most users, and why sometimes an expiration can be more impactful.
A new kind of identity certificate is coming that will enable businesses to include their logos in official email they send in order to improve customer confidence and protect against phishing. It is called a Verified Mark Certificate (VMC) and is built upon the DMARC standard, which controls which senders are allowed to send email using any given From address. In this episode our hosts explain VMCs and DMARC and how they will be used and then discuss where they fit in with S/MIME email certific...
Mozilla has announced its intention to remove support for FTP from the Firefox browser, citing concerns about security and the degree of effort required to keep this functionality current. Join our hosts as they discuss this announcement and its potential effects as well as the considerations that go into choosing when to drop support for outdated, unpopular, or sub-optimal capabilities in technology products.
Congress's proposed EARN IT act has many industry observers worried about its potential effect on the integrity of encrypted communication. In recent news, secure communication app Signal has floated the idea of relocating outside the United States if that's what's required to retain its ability to offer end-to-end encryption without spying eyes interfering. In this week's episode, we discuss this announcement and related issues surrounding the keeping of digital secrets and encryption.
For PKI to be secure, private keys need to remain private. In this episode we explain "vaulting" for keys or other shared secrets. We touch on the vulnerabilities that secrets vaulting fights against and the common use cases for vaulting.
One essential portion of the certificate lifecycle is the ability to revoke certificates. Public SSL certificates use a pair of mechanisms to communicate this revocation status to client machines, CRL and OCSP. In this episode we explain how these mechanisms work and some of their strengths and challenges.
With the global workforce's massive shift to work-from-home, a clever new set of opportunistic social engineering attacks has sprung up to take advantage of our unfamiliarity with our new communication and collaboration applications and processes. In this episode our hosts describe these new attacks and what IT departments can do to combat them.
As we plan our societal return to normalcy, a number of people and groups are discussing the concept of an electronic "immunity passport" that individuals can possess if they are known to be immune to COVID-19 (possibly through vaccination or prior infection). Today our hosts discuss the requirements for such an immunity passport, some of the opportunities and challenges in putting this kind of system in place, and how existing schemes and systems may fit into an immunity passport initiative.
Australia's Rabobank recently experienced an outage preventing its Android banking app from connecting to its servers. The root cause? An expired certificate. In this episode our hosts explain what happened and how it could have been avoided. They also discuss certificate pinning, how it came to be used with apps like this one, and its disadvantages.
Distributed PKI is a new approach, with advocates saying it will eliminate many weaknesses they perceive with traditional, hierarchical PKI architecture. Guest Alan Grau joins our hosts at they explain how distributed PKI works, describe its proclaimed benefits, and take a hard look at whether or not these claims hold up.
