In past episodes we have discussed the possibility of cyber attack against civil infrastructure like utilities. That possibility recently became real with the attempted poisoning of a Florida city's water supply through online security breach. Learn more on this episode.
A proposed law in Australia would require sites linking to news articles to pay for the right to link to these articles. While this law appears to be aimed at Google and Facebook, it has implications that are much bigger than these two news aggregators. Google has upped the ante by offering to cease operations in Australia before doing so. In this episode we discuss this ongoing development and where things go from here.
Recent research reveals a possible attack that would allow the cloning of the Google Titan secure key. Join our hosts and guest Alan Grau as they describe this attack and its implications for Titan and other secure keys.
A white hat researcher recently took over .cd, the Democratic Republic of the Congo's ccTLD. The implications of taking over a top-level TLD are of course staggering. Join our hosts as we describe how this feat was accomplished and the many malicious activities that could occur under such circumstances.
A few days ago Google announced that Chrome will distrust Spanish public CA Camerfirma in its upcoming build 90. Our hosts go over the history of browsers distrusting public CAs and explain the reasons for (and implications of) this decision.
For more than a decade browsers displayed the "green address bar" on sites that had undergone the high authentication required for EV SSL certificates. But in recent years the identity information in the browser has has shrunk, lost its color, and in some cases disappeared entirely. In this episode our hosts walk you through the history of how the green address bar came to be and how browsers gradually reduced and then removed it.
In this episode our hosts explain the Four Pillars of Certificate Automation: deploy, discover, revoke/replace, and renew. They detail what these pillars entail and why they're important. They also discuss the umbrella capability of visibility, which affects all four pillars.
On March 1 Sectigo will remove street address and postal/zip code information from its public certificates of all types. Our hosts explain the reasons for and advantages of this upcoming change, along with answers to some of the common questions we receive.
Recent years have seen multiple reductions in the maximum term for public SSL certificates. Our hosts are joined by guest Nick France to discuss the benefits of shorter certificate lifespans for both public and private CAs.
BGP, or Border Gateway Protocol, controls traffic routing on the internet. Real and theoretical attacks over the years have been revealed against BGP with varying levels of success, including recent research on how BGP attacks can be used to improperly obtain DV certificates. Our hosts explain them along with recent industry actions intended to thwart such attacks.
Public CAs recently have discovered a repeated error whereby certificate subscribers accidentally include the private key along with CSR submissions. Our hosts break down this phenomenon and its implications.
A new US law called the IoT Cybersecurity Improvement Act of 2020 creates security requirements for IoT devices sold into the US government. Join us as we explain these new requirements and why this law's reach is likely to extend further than the US governmental procurement process.
The SolarWinds Orion supply chain attack is making headlines throughout the tech press. This sophisticated attack includes some unusual manipulations of digital identity and certificates. In this episode we explain how certificates, keys, and identity play into the SolarWinds exploit.
In the third of our year-end lookback episodes, we discuss 2020's progress in the quest for quantum-safe encryption. This includes narrowing the NIST candidate list down to fifteen algorithms, the availability of test hybrid certificates, and the trouble with long-lived IoT devices. Our hosts predict what 2021 will look like for quantum-safe certificates.
In April 2014 a software vulnerability called Heartbleed was discovered in OpenSSL. Heartbleed made it possible for attackers to send commands to web servers and steal their private keys. Certificate subscribers around the world had to scramble to patch their servers and replace certificates by the millions. Guest Nick France joins us to explain this vulnerability, its consequences, and whether or not a Heartbleed-like vulnerability could occur today.
2020 was a big year for SASE (Secure Access Service Edge). Our hosts define SASE, ZTNA (Zero Trust Network Architecture), and SDP (Software Defined Perimeter). Our hosts discuss how these technology principles gained momentum in 2020 and why they are poised for continued growth in 2021.
In 2020 the COVID-19 pandemic changed the way we work. IT departments had to gear up for near-ubiquitous work-from-home (WFH) requirements while maintaining productivity and security. Our hosts talk about the pandemic's affect on employee authentication and access, Zero Trust, IT enablement of retail, immunity passports, and more.
In our ongoing examination of MFA, our hosts examine authentication through soft-token OTP (one-time passcode). They go over the potential benefits and pitfalls of soft tokens, and compare them to SMS tokens and hard tokens.
The recent release of Apple's Big Sur OS appears to have driven a temporary slowdown in the company's OCSP responders, affecting code updates across all Apple operating systems. Guest Nick France joins us to explain what appears to have happened and why.
Massive password breeches have been so repeatedly prevalent for so many years that as an industry and a society we've just started to accept them as a fact of life. In this episode we discuss the weaknesses of passwords as a strategy and why they nonetheless are so common even today. We describe the roadmap for eventually weeding out passwords from most systems.
Hard tokens are one of the oldest multi-factor authentication (MFA) form factors there is, and still in use today. In the latest in our series of explorations of MFA strategies, we examine the strengths and weaknesses of hard tokens as an MFA strategy.
First we had crypto agility, which is how we ensure our cryptography stays current with the needs of security. Expanding on this concept, industry leaders are now looking at certificate agility, which is building our systems so that all certificates are known, current, and immediately replaceable. Our hosts explain certificate agility, why it's important, and what you need to do to achieve it.
Our co-host Tim Callan has changed his title to Chief Compliance Officer. Join him and co-host Jason Soroko as they discuss what compliance means at a public Certificate Authority (CA) like Sectigo and what the Chief Compliance Officer does.
New research shows how ransomware attacks could be launched against IoT devices. Our hosts are joined by Alan Grau to understand these attacks and what can be done to defend against them, including technical controls such as strong identity and embedded firewalls.
Digital certificates and PKI provide digital identity and access. Identity and Access Management (IAM) is a huge technology category featuring major players like Okta, DUO, and Ping Identity. And despite the fact that they feature a lot of the same words in their descriptions, these two categories are entirely different spaces that do entirely different things. In this episode we explain the difference between digital identity certificates and IAM platforms and how they fit in together.
As part of our ongoing series on the pros and cons of various forms of multi-factor authentication (MFA) in this episode we explore biometrics. Our hosts discuss their strengths and weaknesses and the idea that biometrics are more about proof of possession than identity authentication.
One of the cornerstones of the success of PKI and digital certificates is their dependence on an asymmetric encryption model. In this episode our hosts explain the difference between asymmetric and symmetric secrets and how they fit into encryption.
Our hosts are joined by Joel Rennich of Jamf to talk about passwordless authentication and access for various Apple platforms. Joel explains the variety of user experiences that can qualify as passwordless access, with an eye to the specific needs and opportunities for Apple devices.
A Hardware Security Module, or HSM, is a piece of hardware that securely stores secret material such as cryptographic keys. Join our hosts as they explain terms like HSM, Trusted Platform Module (TPM), Secure Enclave, TrustZone, and Hardware Secure Element (SE).
SASE (Secure Access Service Edge) is a new term to describe the complexity of authenticating access across today's diverse and heterogeneous computing environments. Join our hosts as they discuss the role of digital identity and certificates in this paradigm.
