NIST's round four post-quantum crypto candidate SIKE (Supersingular Isogeny Key Encapsulation) has been defeated and is now out of consideration. In this episode we explain isogeny cryptography, why NIST is seeking additional candidates, and why failures of this kind are expected and healthy for PQC.
In a personally unprecedented occurrence, Tim's identity as a Sectigo executive is being used in a "waterholing" phishing scam intended to raid job seekers' bank accounts. We describe what is going on, how we found out, and the challenges in combatting such an attack.
Mozilla is a highly important to the world of public certificates, with influence beyond what the Firefox browser market share would suggest. In this episode we examine the historical reasons for this influence and the mechanisms that maintain that influence today.
A recently revealed vulnerability in Active Directory made it possible for an attacker to escalate privileges inappropriately. Microsoft's responded with a patch in May 2022, which unfortunately has forced a difficult workaround for many common software components beyond Active Directory that will otherwise be incapable of working with AD identities. In this episode we explain what his happening, how it came about, and the broader lessons for PKI owners.
The recent winners of the NIST post-quantum cryptography contest are strongly focused on lattice-based encryption. In this episode we explain at a high level what this cryptographic approach entails and why lattice-based algorithms fared so well in the NIST search.
The RSA Security Conference is back. In this episode we talk about what happened in 2020 and how the first post-COVID RSAC compared to earlier years, along with some of the major themes this year.
In coordination with NIST's announcement of its new post-quantum cryptographic algorithm contest winners, the Cybersecurity and Infrastructure Security Agency released a bulletin listing six key actions for IT to commence now. We read out these six actions and put them in context.
NIST has announced its winning algorithms for round 3 of its post-quantum cryptography "contest." Join us as we name the winning algorithms and why they were chosen. We discuss the continuing effort to arrive at additional algorithms, and we talk about the next steps coming out of this announcement.
Recent announcements about consumer passwordless authentication build on standards like FIDO and WebAuthn. In this episode we explain device-centric authentication, the FIDO Alliance, and how it all works.
Apple recently announced its Passkey functionality, which will allow passwordless authentication between Apple devices and supporting web services through key exchange. In this episode we discuss how this works, the user experience, the significance of FIDO and WebAuthn, and implications for consumer-facing sites.
In this follow-on to our two previous podcasts, we elucidate additional potential schemes for preserving consumer privacy. We discuss data aggregation, the power of the default, decentralized blockchain identities, the death of cookies, browsing collectives, privacy browsers, and the 80/20 rule of browser entropy.
In a follow-up to our recent episode on cookies and browser tracking, we discuss Google's Federated Learning of Cohorts (FLoC) initiative, why it failed as a response, and other directions the industry is looking in.
In this episode we explain the fundamentals of cookies and why, despite their obvious benefits, they present troublesome privacy concerns. We discuss the many ways web users can be tracked including cross-site cookies, tracking pixels, and browser fingerprinting.
In this third episode in our series on SSH keys, we identify the six main benefits of SSH certificates and how they mitigate the problems with SSH identified in earlier episodes.
Despite the similarity in their names, in the world of digital certificates a Relying Party and a Certificate Consumer are very different things. In this episode we define the four main roles in the public trust ecosystem: CA, Subscriber, Certificate Consumer, and Relying Party, with real-world examples.
In this follow-on to our earlier episode explaining SSH keys, we discuss the five problems SSH keys present to organizations using them. And we give a peek at how to solve these problems.
Attackers are using CT logs to identify brand new WordPress sites and install malware before upcoming security measures are in place. This attack is novel in how it exploits Certificate Transparency information to identify likely targets. In this episode we explain what is happening and why it's noteworthy.
Vendor consolidation is an important topic in IT security. As the scope and variety of threats continues to increase, we have seen a proliferation of point solutions and features, and a resulting desire to reduce that vendor footprint or at least facilitate using them together. In this episode we discuss this trend and how it specifically affects PKI and digital certificates.
SSH (Secure Shell) keys are ubiquitous for authenticated access to Linux systems. In this first of three episodes we explain what these keys are and how they're used.
"Passwordless" is a hot term in the industry, and as a result many technology vendors are attaching their solutions to this term. In this episode we clarify the difference between OTP services and passwordless authentication.
New proposed legislation in the US House of Representatives mandates that federal agencies must begin preparation for using the new quantum resistant cryptographic algorithms selected by NIST. This represents a major development in building a quantum safe digital world. In this episode we explain the proposed legislation and it's consequences.
Every technology space has its jargon. In this episode we go over some of the interesting, ambiguous, or amusing terms that are specific to the PKI and digital certificates industry.
In March the LAPSIS$ hacking group convincingly announced a breach of Okta systems, potentially exposing Okta customers to additional compromise. Despite Okta's initial statements to the contrary, it ultimately turned out that up to 366 Okta customers may be affected. Our hosts walk through the events of the attack, how it unfolded over time, and how this breach was revealed.
One of the foundational tools for monitoring and understanding public SSL certificates is crt.sh, created and maintained by Sectigo's own Rob Stradling. In this episode our hosts explain what crt.sh does and why it is so popular among SSL industry watchers.
Organizations seeking to use passwordless authentication frequently must deal with legacy systems that cannot support this scheme. In this episode we explain why that occurs and detail the steps organizations can take to mitigate the effect of legacy systems.
A recent FBI warning cautions organizations about exploits based on misconfigured DUO MFA, which exploits weaknesses in Active Directory to provision credentials on DUO for malicious parties. This is an unusual story in several ways, including the fact that the exploit is based on a configuration error and that it's specific to a single, popular SaaS offering. Our hosts explain this exploit and why it is noteworthy.
In this episode we describe a recent phishing campaign noteworthy for its scale, encompassing a total of 600 unique domains. We discuss the implications of a campaign of this scale and high level of organization.
On April 1 new root program requirements from Apple for S/MIME certificates go into effect, including a limitation of the allowable term to three years. This is contrary to Apple's stated intentions last year. In this episode the explain this change in policy and what certificate users can expect for the future.
Wildcard and multi-domain certificates have traditionally made administration easier for IT departments. In this episode we weigh the degree to which Certificate Lifecycle Management (CLM) renders these benefits obsolete and if these certificate types continue to be worth the increased risk they carry.
Microsoft has deprecated support for the popular sysadmin tool WMIC. Join our hosts as they explain the security reasons behind this development and broader lessons we can learn.
