The recently published Messaging Layer Security (MLS) protocol establishes key exchange protocols for participants in a simultaneous communication session for three or more participants. We explain its significance and possible futures for this standard.
In 2008 the world of SSL was shocked by the discovery of a flaw in a popular operating system that limited the total set of possible private keys on this OS to about 32,000. We explain what happened, industry response, and its consequences.
In this episode we explain Border Gateway Protocol (BGP) attacks and how multi-perspective domain validation (MPDV, also known as multi-vantage point domain validation) can defeat them.
A recent Financial Times article reveals that mistyped email addresses aimed at the US military frequently are sent to email addresses in Mali instead, to the tune of hundreds of thousands per year. Some of this includes sensitive military content.
A recent outage in Microsoft Sharepoint was caused by an error in certificate installation. We explain what happened and the lessons to be learned.
The battle between government and encryption continues. The UK is attempting to build secret back doors into end-to-end encrypted services. In response, Apple has threatened to remove Apple services from the UK, including FaceTime and iMessage.
In this follow up to our episode 320, we describe Microsoft's actions to mitigate this attack and explain new understanding that shows its impact to be broader than originally thought. Anyone using the Microsoft stack needs to understand this new threat.
In July famous security researcher Kevin Mitnick passed away. We briefly pay tribute to Kevin and talk about his contributions to white hat hacking as a practice.
The CA/Browser Forum recently passed a temporary moratorium on new members of the Certificate Consumer class. We explain how Certificate Consumers have been admitted in the past and the pros and cons of creating stricter rules for Certificate Consumers.
A new root kit attack in the wild is code signed by a Microsoft certificate. We explain kernel-level attacks, how powerful they are, and how this attack occurred.
A new agreement mandates that European countries will make digital wallets available to their citizens in 2024. We explain what's coming and some of its implications.
ACME is a functional and widely supported protocol for certificate provisioning and installation. A new extension to the protocol will help automate renewals. In this episode we explain ACME Renewal Information (ARI).
In this episode we describe how physically accessing the CAN bus wires in a modern automobile can allow a thief to take over key fob functionality to unlock the doors, start the engine, and ultimately steal the vehicle. We explain how PKI can defeat this attack and what is necessary to get there.
SquareSpace recently acquired Google's domain registry business. We discuss what this move says about large technology trends.
The SEC has sent "Wells notices" to two senior executives from SolarWinds, with regard to the 2019 supply chain attack. In this episode we explain these notices and their implication.
We have spoken in previous episodes about the potential for deepfakes in real-world crimes. In this episode we discuss a variety of real-world attacks in which deepfakes have played a role. These include fake kidnapping, "sextortion," and a range of spear phishing attacks and social media scams.
In 2022 Mozilla added a root program requirement that CAs include Reason Codes when revoking public TLS certificates. In this episode we explain the reason codes, along with some explicitly forbidden reason codes, and go into the backstory behind this requirement.
Don't roll your own crypto. In this episode we describe the findings from 2021 research that investigating the root causes of problems in cryptographic systems. The results may surprise you.
We describe CCADB, the Common CA Database. We explain the role of CCADB in the WebPKI and how this role is evolving.
In this episode we continue to explore the capabilities of AI to replicate known people in deep fakes with AI-generated content.
On June 1, 2023 new rules for delivery of code signing certificates went into effect, requiring the certificate be delivered by secure HSM. In addition to shipping a token by mail, certificates can be electronically delivered to Subscriber-owned hardware that supports key attestation. In this episode we explain key attestation, supporting hardware, and the pros and cons of this method.
For the second time in under twelve months, a major browser is deprecating a CA's public trust. This time it's E-Tugra. Learn about the concerns raised about this CA, investigation of these concerns, and the ultimate deprecation decision.
In this episode we describe how tools from operational technology red team exercises are being repurposed for malware attacks.
Certificate Transparency (CT) logs do a lot of good for the WebPKI. They also, however, carry with them some privacy concerns. In this episode we explain those concerns.
In our episode 143 we introduced the Four Pillars of Certificate Lifecycle Management. Now, two years later, we introduce a fifth pillar of CLM.
90-day maximum term for SSL certificates is coming. In this episode expert guest Henry Lam details his four-point checklist for preparing enterprises for these shorter-lived certificates.
In our recent episode 300 we discussed Chrome's upcoming removal of the lock icon from its interface. In this follow up, we catch the listener up on Chrome's longstanding program to minimize the URL in its interface, even to the point of contemplating removing the address bar entirely.
Resulting from a recent ransomware attack, a private key from Intel has been exposed, affecting more than a hundred OEM components and an unknown number of end user products. We explain what happened and its possible implications.
This podcast frequently discusses the concepts of certificate automation and Certificate Lifecycle Management (CLM). In this episode we discuss how CLM does not always entail automation and vice versa -- along with where this distinction occurs and why it matters.
Google Chrome has announced that it will eliminate the lock icon in September. We explain what Google will be doing, its stated rationale, and the pros and cons of this decision.
