Getting Ready for 2016: SHA-2 (SHA256) Certificates and Apache

It seems Google has declared SHA-1 encryption insecure. Chrome now complains about sites using this protocol for secure (https) connections. From what I understand, certificates and servers should be upgraded before 2016 in order to be viewable by Chrome users. Once again, I turned to Qualys SSL Labs for help. Their SSL Server Test is … Read more

Don’t FREAK OUT!

Yes, yet another Frank Zappa reference for an SSL issue! Woohoo! I really don’t see that the recently disclosed FREAK bug is easily expoitable.  It seems to me that a man-in-the-middle attack would be rather difficult to execute. My thought is that the attacker would need to control either DNS or routing, or be on … Read more

DigiNotar SSL Certificates Revoked by Google and Mozilla

The latest stable version of Google Chrome (13.0.782.220) rejects SSL certificates issued by the Dutch firm DigiNotar as does the yet-to-be-released Mozilla Firefox 6.0.2. (Mozilla will also release an update to the 3.6 line: Firefox 3.6.22. My tests indicate this version also revokes DigiNotar as an SSL authority.) This drastic action comes in the wake … Read more

Mozilla.com Redirecting to Mozilla.org (SSL hell)

In response to the news that hundreds of web site SSL certificates were hacked from (fraudulently issed by) DigiNotar, the Mozilla foundation taken drastic action: permanently blocking all DigiNotar certificates in the latest version(s) of Firefox. So, what does that have to do with site redirection? My guess is that a hacked certificate has been … Read more