Tim Callan's SSL Blog

I've written in the past that Chase Paymentech has deployed EV SSL. Well, JPMC has now expanded its EV usage to include the J.P. Morgan site itself.

Posted by Tim at 02:36 PM
Permalink | Comments (0)

Hi, everyone. I'm in the middle of a productive week in Japan, meeting with leaders in the Japanese banking and e-commerce industries along with press and impactful industry groups such as the Japanese arm of the CA/Browser Forum. Unfortunately I'm running into severe Internet access problems with my war-torn laptop and therefore am not able to access my blogging console this week. So hold tight and I'll be back up and running early next week.

Posted by Tim at 06:49 PM
Permalink | Comments (0)

You may have noticed a lot of waves in the press and the blogosphere about the broad DNS security flaw just announced by security researcher Dan Kaminsky. We're getting a questions about how this affects the root DNS as well as major TLDs, and my fellow VeriSign blogger Philip Hallam-Baker has addressed this question. (Short story: It doesn't.)

Now with that out of the way, let's talk about SSL. The announcers of this new vulnerability have kept the details deliberately obscure (which they tell us are to protect the flaw from exploit by criminals), but the essence of what we read in Philip's post is that it's not unlike the traditional DNS cache poisoning we have been aware of for years.

So how does this security flaw fit in with SSL? Quite simple. The flaw could aid a criminal in redirecting the cache in a corporation's or ISP's DNS server so that popular sites are redirected to the criminal's phishing site and not the real one. So if you were on one of these redirected DNS cache servers and you went to www.mybank.com (for instance), the browser's address bar would actually say www.mybank.com, and the site would look like your bank, but it actually could be a false site. As I said, a straightforward DNS poisoning AKA pharming attack.

Enter Extended Validation SSL. If the bank in question uses Extended Validation SSL Certificates, then you can look for the green bar and the name of the bank to ensure you're in the right place. Even if the address bar says what you'd expect it to, if the green bar is not present, you know something's wrong and should not proceed with the transaction.

Posted by Tim at 01:26 PM
Permalink | Comments (0)

In recent weeks I've spoken a lot about the Debian flaw that enables the creation of weak SSL keys. One thing you may be aware of is that VeriSign suspended charging for replacement of SSL Certificates through the end of June to facilitate the replacement of these certificates.

I'm happy to state that due to the strongly positive reactions toward this policy that we've received from our customers, VeriSign has extended this free replacement offer through the end of July. While we've seen good progress in the replacement of weak Debian certs, with over a million active certificates to look at, you can imagine it requires a little time to make our way through the whole bunch of them. So to facilitate the continued replacement of the existing weak certificates, we're keeping free reissuance alive for a while longer.

Posted by Tim at 01:27 PM
Permalink | Comments (0)

Readers of this SSL Blog will recall that there was a time when tracking the early adoption of Extended Validation SSL was one of this blog's main functions. As it has become more mainstream, I've left off mentioning deployment on individual sites unless they're very important.

Today I'm highlighting the fact that EV SSL is live on Aetna. This deployment is important because of Aetna's leadership position in both the insurance and health care industries. Both these industries deal in a great amount of personal information for which confidentiality is very important and which individuals want to ensure is secure.

Consider the consequences of a privacy breech on three types of sites: E-commerce, financial, and health care. In the first case a credit card number is stolen. The individual has to go through the hassle of disputing charges and getting a new credit card. Definitely a bummer. The second case is worse. The individual most likely is the victim of account takeover, meaning that money is stolen either directly or indirectly. Now the individual has to deal with a bank or trading firm or the like to see to it that his or her money is returned, usually at the expense of the financial service provider in question.

All bad. But let's talk about what happens when confidential health care information escapes into the public sphere. Now there is no recourse, no matter how hard you work at it. A bank account can be restored. Compensation can come to the victim of a pump-and-dump scheme. But once there's general knowledge of who uses which prescription drugs or who has been diagnosed with cancer or who has tested positive for a congenital disease, then no activity, no action of the court, no trick of law enforcement will ever put that genie back in that bottle.

Which is why it's been good to see health care leaders like Blue Cross/Blue Shield and now Aetna adopting Extended Validation. Because phishing isn't just about banks.

Posted by Tim at 09:52 AM
Permalink | Comments (0)

If you're reading an SSL Blog like this one, you probably already have heard that Firefox 3 is due for release tomorrow. What you may not have heard is that Opera 9.5 is released and available for download now. Adding these to Internet Explorer 7, in two days the industry has tripled the number of browsers compatible with EV SSL.

Posted by Tim at 12:31 PM
Permalink | Comments (0)

I'm here at the AOTA (Authentication and Online Trust Alliance) Summit, and we've had a very lively and informative two days. In particular there were two highlights for me. One was my panel discussion on Extended Validation SSL Certificates, which I shared with PayPal CISO Michael Barrett. Michael is firmly convinced that EV SSL has been an asset to PayPal's combat against online fraud as well as a driver of improvement in business metrics.

The second high point is that VeriSign received the AOTA 2008 Safety Leadership Award. I had the good fortune to collect the award, and as I said to the room at the time, to receive that compliment from such a capable and informed community engaged in such an important and noble goal is an honor indeed.

Posted by Tim at 07:56 AM
Permalink | Comments (0)

I will be speaking at the Discover YouTube event in San Bruno, California on Monday, June 9. I will be discovering VeriSign's award-winning Cart Whisperer campaign. If you're coming to the event, make sure to introduce yourself.

Posted by Tim at 05:20 PM
Permalink | Comments (0)

One thing I've been meaning to write about for a while now is NTT Data's deployment of EV SSL across 80 Japanese banks. Because of the relationship this ASP has with its customer banks, NTT Data can affect EV SSL deployment across this huge number of online banks simultaneously. The Japanese banking industry has been a strong user of EV SSL, including early deployment by leaders like SMBC and Sony Bank.

Posted by Tim at 10:31 AM
Permalink | Comments (0)

I think the headline says it all. MarketingSherpa has selected Liberty Fillmore and his avocation of cart rescuology as one of the ten viral campaigns in its Hall of Fame 2008.

In other news, Liberty Fillmore the Cart Whisperer is back in his latest film. Be sure to check it out.

Posted by Tim at 04:10 PM
Permalink | Comments (0)

I recently wrote an entry in which I stated that EV SSL is a powerful mitigator against the classic phishing attack. I have received an e-mail asking me to explain how I know that to be the case. Happy to oblige.

If you were a reader of The SSL Blog a little over a year ago when VeriSign premiered the Extended Validation SSL Certificate, you know about the Tec-Ed research. For newer readers or in case we all don't exactly remember how it went, here's a recap.

Read the full content »

Posted by Tim at 08:41 AM
Permalink | Comments (0)

VeriSign SSL principal architect Rick Andrews and I recently gave this Web seminar explaining the Debian Open SSL flaw and what to do about it.

Posted by Tim at 04:58 PM
Permalink | Comments (0)