Security News

Google, it seems, is joining Apple in limiting the maximum validity of web security certificates - those digitally signed blobs of data that put the S in TLS and the padlock in your address bar - to just one year. Others ask why a year is seen as "Too long" given that certificate authorities such as Let's Enrcypt are already issuing certificates that are only valid for three months at a time, thanks to a smoothly automated process for renewal.

A security expert predicts trouble ahead for IoT device makers and customers due to expired root SSL certificates. Dunlap and cyber security specialists are tracking the impact of expiring Certificate Authority root SSL certificates on smart devices, including smart TVs, fridges, lightbulbs, and other IoT devices.

"Hi all, Has anyone seen or heard from Kristian in the last month or so?" asked Todd Fleisher earlier this month - in fact, 11 June - on the main mailing list for an important cluster of OpenPGP key servers. Fiskerstrand, who had seemingly gone AWOL, issues cryptographic certificates to servers that join the SKS keyserver pools, allowing these volunteer machines to share the load in securely handling key lookup requests.

Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned. In order to validate the certificate the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.

There's a bit of a kerfuffle in the web hosting community just at the moment over an expired web security certificate from a certificate authority called Sectigo, formerly Comodo Certificate Authority. To make it harder for crooks to mint a web certificate in your name, you need to get your certificate vouched for by someone else, known as a certificate authority.

Frost & Sullivan recognizes DigiCert with the 2020 Global Company of the Year Award, based on its recent analysis of the global TLS certificate market. "Leveraging its superior technology, customizing it to regional markets and building a best-in-class customer support system, DigiCert has captured the business of 89% of the Fortune 500 companies and the world's most recognized brands," said Swetha Krishnamoorthi, Industry Analyst at Frost & Sullivan.

Today, in part due to the work Let's Encrypt does, roughly 85% of all websites use HTTPS and over one billion certificates have been issued. What about money? Aas may have wanted to give away certificates for free, but building the Let's Encrypt apparatus was anything but free.

Sectigo, a leading provider of automated digital identity management and web security solutions, announced a partnership with Infineon Technologies AG to provide automated certificate provisioning for Infineon's OPTIGA Trusted Platform Module 2.0 using Sectigo IoT Identity Manager. "Including a TPM chip in an IoT device design is the first step in enabling strong authentication and secure communication for IoT devices," explained Alan Grau, VP of IoT/Embedded Solutions at Sectigo.

Entrust Datacard, a leading provider of trusted identity and secure transaction technology solutions, announced the Entrust Datacard Certificate Hub, a portal that allows customers to find, control and automate their public and private certificate deployments via a single pane of glass. "Security-minded enterprises have a critical need to track their certificates and know when they're going to expire. Many enterprises struggle to track their certificates and proactively manage them - their environments have grown too complex and distributed to manage hundreds or thousands of certificates on spreadsheets, which opens weaknesses that attackers prey upon," said Robyn Westerveldt, Research Director, Security & Trust at IDC. "A certificate lifecycle management tool like Certificate Hub helps enterprises deal with complexity by standardizing, simplifying and streamlining certificate discovery, management and automation."

Hoping to actually make the long foretold end of passwords happen, a startup called Beyond Identity believes it can hasten the demise of the memory-taxing access ritual by embedding a personal certificate authority into mobile devices. Beyond Identity proposes an app for Apple, Windows, Android and cloud services to handle authentication in a way that doesn't require tapping in a memorized secret.