Collaborating Authors

GlobalSign certificate revocation error leaves websites inaccessible


Users around the world have had trouble accessing some HTTPS websites due to an error at GlobalSign, one of the world's largest certificate authorities. As part of a planned exercise, GlobalSign revoked one of its cross-certificates that allowed end-user certificates to chain to alternate root certificates. GlobalSign operates multiple roots, which are trusted in browsers and operating systems by default, and links them together through these cross-certificates. The revocation of such a certificate was interpreted by some browsers and systems also as a revocation of the intermediate certificates that chained back to it. This was not really the case or the company's intention.

Python Certificate error in Selenium


There is a common scenario we all must have encountered i.e sometimes when we try to load a web page it doesn't get loaded in fact shows a message that "your communication is not secure". The browser will validate the website%u2019s certificate by checking that the certificate that signed it is valid, and checking that the certificate that signed the parent certificate is valid and so forth up to a root the certificate that is known to be valid is sometimes also called Certificate Hierarchy and if the browser fails to do so connection gets interrupted and an error message is displayed. If the certificate that is presented by the server somehow is not able to validate or if the encryption itself is not strong enough, your browser will automatically stop the connection with the website and shows you an error page with the message "your connection is not secure" Therefore, whenever we make our script and test in our own environment we will always get this error as certificates are costly and may not be used for test environments. Most of the times, to test web applications over https, self-signed certificates are used. And due to the fact that %u2018self-signed certificates are not trusted%u2019 by browsers, we get the error in our test environment while executing test scripts.

Apple strong-arms entire CA industry into one-year certificate lifespans


From on-premise to hybrid environments and the cloud, we have you covered. A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates. Following Apple's initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers. Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days. The move is an important one because it not only changes how a core part of the internet works -- TLS certificates -- but also because it breaks away from normal industry practices and the cooperation between browsers and CAs.

Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed

Communications of the ACM

A properly managed public key infrastructure (PKI) is critical to ensure secure communication on the Internet. Surprisingly, some of the most important administrative steps--in particular, reissuing new X.509 certificates and revoking old ones--are manual and remained unstudied, largely because it is difficult to measure these manual processes at scale. We use Heartbleed, a widespread OpenSSL vulnerability from 2014, as a natural experiment to determine whether administrators are properly managing their certificates. All domains affected by Heartbleed should have patched their software, revoked their old (possibly compromised) certificates, and reissued new ones, all as quickly as possible. We find the reality to be far from the ideal: over 73% of vulnerable certificates were not reissued and over 87% were not revoked three weeks after Heartbleed was disclosed. Our results also show a drastic decline in revocations on the weekends, even immediately following the Heartbleed announcement. These results are an important step in understanding the manual processes on which users rely for secure, authenticated communication. Server authentication is the cornerstone of secure communication on the Internet; it is the property that allows client applications such as online banking, email, and e-commerce to ensure the servers with whom they communicate are truly who they say they are. In practice, server authentication is made possible by the globally distributed Public Key Infrastructure (PKI). The PKI leverages cryptographic mechanisms and X.509 certificates to establish the identities of popular websites. This mechanism works in conjunction with other network protocols--particularly Secure Sockets Layer (SSL) and Transport Layer Security (TLS)--to provide secure communications, but the PKI plays a key role: without it, a browser could establish a secure connection with an attacker that impersonates a trusted website. The secure operation of the web's PKI relies on responsible administration.