Articles about digital certificate

Electronic Trojan horse

'No questions asked' Windows code cert slingers 'fuel trade' in digitally signed malware

Trusted code-signing certificates are being sold to miscreants by allegedly unscrupulous vendors, fueling a growth in digitally signed Windows malware, a study has claimed. Security researchers at Masaryk University in the Czech Republic, and Maryland Cybersecurity Center (MCC) in the US, identified and monitored four …
John Leyden, 26 Jun 2018

Chrome 66: Get into the bin, auto-playing vids and Symantec certs!

Chrome the 66th is upon us and has added some features that Google previewed in months past. One is the September 2017 decision to stop trusting Symantec’s digital certificates, ending a long dispute over the way the security vendor managed its partners’ PKI activities before June 2016. Chrome 66 will warn visitors to sites …
Simon Sharwood, 18 Apr 2018
Boom across construction area with sign denying walkers access

Symantec cert holdout sites told: Those Google Chrome warnings are not a good look

Many high profile UK sites still use Symantec certificates just days before Google will begin the process of dropping support for them with the next and upcoming releases of its Chrome browser. Google's looming disavowal of digital certificates issued by Symantec will occur across two effective dates, April and October. …
John Leyden, 21 Mar 2018
Let's Encrypt browser certificate

Let's Encrypt updates certificate automation, adds splats

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system. Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate. ACME is the …
A burning dumpster

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in Trustico.com was revealed on Twitter. The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A …
Iain Thomson, 1 Mar 2018

Beware the looming Google Chrome HTTPS certificate apocalypse!

Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months. Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the …

Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains

Let's Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it's insecure in the context of many shared hosting providers. TLS-SNI is …
Thomas Claburn, 13 Jan 2018
spies_648

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday. Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA. Wikileaks said: Digital certificates …
John Leyden, 10 Nov 2017
malware_security_648

Hackers abusing digital certs smuggle malware past security scanners

Malware writers are widely abusing stolen digital code-signing certificates, according to new research. Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet …
John Leyden, 1 Nov 2017
handshake

Comodo CA acquired by Francisco Partners ...

Comodo's certificate business has a new owner, and not everybody's happy about it. That's because buyer Francisco Partners also counts among its investments companies like SonicWall, which produces SSL proxy boxes, and NSO Group, which produces government spyware, among other cyber-surveillance upstarts. Last time we heard, …

RIP HPKP: Google abandons public key pinning

Google is abandoning a next-generation web crypto technology it initially championed. HTTP Public Key Pinning (HPKP) is a standard that allows a host to instruct browsers to only accept certain public keys when communicating with it for a given period of time. While HPKP can offer a lot of protection, the technology was open …
John Leyden, 30 Oct 2017
Certified and rejected stamps

Google to kill Symantec certs in Chrome 66, due in early 2018

Google has detailed its plan to deprecate Symantec-issued certificates in Chrome. The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild. The absolute …
Judiciary.gov.uk's expired certificate snafu, as seen via Firefox

Google Chrome's HTTPS ban-hammer drops on WoSign, StartCom in two months

Update Google in two months will conclude its prolonged excommunication of misbehaving SSL/TLS certificate authorities WoSign and subsidiary StartCom, a punishment announced last October. Chrome security engineer Devon O'Brien, in a Google Groups post on Thursday, said Google last year began limiting its trust of certificates backed …
Let's Encrypt browser certificate

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

Let's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations. Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) …

Comodo database glitch causes billing problems

Updated While the rest of the world had its eyes firmly on the WannaCrypt outbreak, digital certificate firm Comodo suffered an unrelated but protracted database problem that affected its billing systems. The Register learned of the issue from reader Ian Barber who came across the problem in the process of getting a new SSL …
John Leyden, 19 May 2017
Two eggs hugging couple arranged in carton

Peace in our time! Symantec says it can end Google cert spat

Symantec is hoping to get its certificates back on Google's trust list. In March, an ongoing spat between the two companies came to a head. After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month. Google decided in December 2015 to distrust the …
Man thumbs down, image via Shutterstock

Time's up for SHA-1 hash algo, but one in five websites still use it

One in five websites (21 per cent) are still using certificates signed with the vulnerable SHA-1 hash algorithm, according to a new survey. Reliance on the obsolete hashing technology leaves companies at greater risk of security breaches and compliance problems, certificate management firm Venafi warns. Venafi's latest study …
John Leyden, 8 Mar 2017
Emily Schechter

Google's Chrome is about to get rather in-your-face about HTTPS

Usenix Enigma 2017 Google and Firefox have been key drivers in the quest to get more people using HTTPS online, and starting this week the hammer is coming down. In a speech at Usenix Enigma 2017, Emily Schechter, a product manager for Chrome security, said that progress on HTTPS adoption was going well – currently over half of the top 100 …
Iain Thomson, 31 Jan 2017

Create a news alert about digital certificate, or find more stories about digital certificate.

Biting the hand that feeds IT © 1998–2018