Security News

There's a bit of a kerfuffle in the web hosting community just at the moment over an expired web security certificate from a certificate authority called Sectigo, formerly Comodo Certificate Authority. To make it harder for crooks to mint a web certificate in your name, you need to get your certificate vouched for by someone else, known as a certificate authority.

Frost & Sullivan recognizes DigiCert with the 2020 Global Company of the Year Award, based on its recent analysis of the global TLS certificate market. "Leveraging its superior technology, customizing it to regional markets and building a best-in-class customer support system, DigiCert has captured the business of 89% of the Fortune 500 companies and the world's most recognized brands," said Swetha Krishnamoorthi, Industry Analyst at Frost & Sullivan.

Today, in part due to the work Let's Encrypt does, roughly 85% of all websites use HTTPS and over one billion certificates have been issued. What about money? Aas may have wanted to give away certificates for free, but building the Let's Encrypt apparatus was anything but free.

Sectigo, a leading provider of automated digital identity management and web security solutions, announced a partnership with Infineon Technologies AG to provide automated certificate provisioning for Infineon's OPTIGA Trusted Platform Module 2.0 using Sectigo IoT Identity Manager. "Including a TPM chip in an IoT device design is the first step in enabling strong authentication and secure communication for IoT devices," explained Alan Grau, VP of IoT/Embedded Solutions at Sectigo.

Entrust Datacard, a leading provider of trusted identity and secure transaction technology solutions, announced the Entrust Datacard Certificate Hub, a portal that allows customers to find, control and automate their public and private certificate deployments via a single pane of glass. "Security-minded enterprises have a critical need to track their certificates and know when they're going to expire. Many enterprises struggle to track their certificates and proactively manage them - their environments have grown too complex and distributed to manage hundreds or thousands of certificates on spreadsheets, which opens weaknesses that attackers prey upon," said Robyn Westerveldt, Research Director, Security & Trust at IDC. "A certificate lifecycle management tool like Certificate Hub helps enterprises deal with complexity by standardizing, simplifying and streamlining certificate discovery, management and automation."

Hoping to actually make the long foretold end of passwords happen, a startup called Beyond Identity believes it can hasten the demise of the memory-taxing access ritual by embedding a personal certificate authority into mobile devices. Beyond Identity proposes an app for Apple, Windows, Android and cloud services to handle authentication in a way that doesn't require tapping in a memorized secret.

Recent studies have shown that cybercriminals building phishing sites now use SSL as well, complicating efforts by enterprises to keep their employees safe. The Menlo Security research revealed that while 96.7% of all user-initiated web visits are being served over https, only 57.7% of the URL links in emails turn out to be https, which means that web proxies or firewall will be oblivious to the threats unless enterprises turn on SSL inspection.

Let's Encrypt planned to revoke more than 3 million TLS certificates on Wednesday after it discovered a bug that allowed an important security check performed during TLS issuance to be bypassed. On March 4, we will revoke 2.6% of currently active Let's Encrypt certificates.

Free and open certificate authority Let's Encrypt has decided that it will not revoke one million of the certificates affected by the recent CAA recheck bug. A total of 3,048,289 certificates were supposed to be revoked, but Let's Encrypt ultimately decided to leave 1 million of them unreplaced at this time.

Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an "Install" button pointing to the malware. The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users' desire to keep themselves safe online.