SSL Certificates

SSL Certs, SSL Certificate, SSL Certificates

Securing Your Online Business

Black Hat Briefings Reveal New SSL Shortcomings

Entrust completes tests to ensure its SSL products, services unaffected by findings

At the July 2009 Black Hat Briefings in Las Vegas, Nev., Dan Kaminsky (the director of penetration testing for IOActive) and his co-researchers announced preliminary results of their on-going investigation into SSL and the public key infrastructure (PKI) upon which it relies. The Black Hat Briefings also featured other researchers such as Moxie Marlinspike, Michael Zusman and Alexander Sotirov with related findings.

During the event, Kaminsky described several real and potential vulnerabilities in the overall system of browser and server software, certification authority (CA) software and practices that have the potential to seriously impact the security of the Web.

For proper credit, Kaminsky is to be applauded for the responsible way in which he released the findings, providing affected vendors the information and the time needed to address any vulnerabilities that might exist in their products and services before malicious exploits could be mounted by criminals. Through this process, the Internet community benefits through improved security with little risk of incurring a real loss.

Kaminsky's approach has been consistent: look for a variety of relatively well-understood bugs in the software commonly used by browsers and CAs. To date, he has focused on such bugs as broken digest algorithms, string processing anomalies, multivalued attribute processing, SQL injection and browser policies for rendering extended validation content.

For the most part, Kaminsky describes anomalies in the code-base that, without mitigating safeguards, could result in serious exposure. This is reason enough for browser suppliers and CAs to examine their products and services, and ensure that those mitigating safeguards are in place and operating correctly.

Entrust has done just that. We've worked tirelessly to ensure our SSL products and services are not vulnerable to the discoveries reported by Kaminsky and others. While heartening, there is no cause for complacency, and in some cases Entrust needs to work closely with standards organizations and browser vendors to ensure SSL remains secure. Entrust is a founding member and currently chairs the CA/Browser Forum, a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications.

Entrust operates its own continuous expert evaluation across the entirety of its products and services; to identify, classify and correct such issues. Indeed, Kaminsky's report has caused our security team to test for different exploits based on findings within his research. The community's understanding of IT security is continuously evolving and no responsible vendor can afford to relax its guard.

Contact Me
Need
Assistance?

SSL Certificates

Entrust SSL certificates inspire consumer trust by signifying a Web site's commitment to protecting the personal information of its visitors. By using SSL, companies help ease the security concerns of its customers, leading to a more engaging online experience. An SSL certificate is used to confirm that an SSL encryption algorithm is actively securing data being transmitted to a Web site. Digital certificates usually contain the SSL subscriber's information, the name of the certificate issuer, and the strength of the encryption in use. In addition to the "padlock" icon displayed in Web browsers and the https:// prefix, the SSL certificate is one more indicator customers look for as evidence that a Web site is serious about protecting their information.