Tag Archives: ca

StartCom 決定關門

在 Hacker News 上看到 StartCom 決定關門的消息:「Termination of the certificates business of Startcom」。 2018 停發新的憑證,然後維護兩年 CRL 與 OCSP 服務: We´ll set January 1st 2018 as the termination date and will stop issuing certificates therefrom. We will maintain our CRL and OCSP … Continue reading

Posted in Computer, Murmuring, Network, Privacy, Security, Service|Tagged , , , , , , , , , , |Leave a comment

Savitech (盛微) 的 USB 音效驅動程式會安裝 Root CA (被發了 CVE-2017-9758)

在 Hacker News 上看到 CERT 的「Savitech USB audio drivers install a new root CA certificate」提到 Savitech USB audio driver 會安裝自己的 Root CA: Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver … Continue reading

Posted in Computer, Murmuring, OS, Privacy, Programming, Security, Software, Windows|Tagged , , , , , , , , , , , , , , , |Leave a comment

Chromium 內提案移除 HPKP (HTTP Public Key Pinning)

Twitter 上看到這則 tweet,提到要移除 HPKP (HTTP Public Key Pinning): Intent To Deprecate And Remove: Public Key Pinning (in Chromium) https://t.co/agS3fll7eR — Adam Langley (@agl__) October 27, 2017 blink-dev 上的討論可以參考「Intent To Deprecate And Remove: Public Key Pinning」(就是上面那個連結,只是拉出來)。 這個提案大概可以推敲出理由... 目前的作法必須寫進瀏覽器內,這樣明顯會有 scale 問題,而且這個作法本身就很 workaround,只能保護所謂「高價值」的 … Continue reading

Posted in Browser, Computer, DNS, GoogleChrome, Network, Security, Software, WWW|Tagged , , , , , , , , , , , , , , , , , , , |2 Comments

Google Chrome 對 Symantec 全系列憑證的不信任計畫

Google Chrome 前陣子整理了一份對 Symantec 憑證的不信任計畫:「Chrome’s Plan to Distrust Symantec Certificates」。 這包括了一卡車的品牌,像是 Thawte、VeriSign、GeoTrust、RapidSSL,不過 Equifax 跟 Symantec 的關係我沒查到...: Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous … Continue reading

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Security, Software, WWW|Tagged , , , , , , , , , , , , , , , , , , |1 Comment

Amazon Route 53 支援 CAA record 了

Amazon Route 53 宣佈支援 CAA record 了:「Announcement: Announcement: Amazon Route 53 now supports CAA records」、「Amazon Route 53 now supports CAA records」。 這是一個被動性的 workaround,要求 CA 本身要支援 DNS CAA,所以他沒辦法防止 CA 本身作惡誤簽,但因為負作用與技術債的可能性不高,在 CA/Browser Forum 上被通過強制要求支援了。(參考「未來 CA 將會強制要求檢查 DNS CAA record」) Gandi 的 DNS … Continue reading

Posted in AWS, Cloud, Computer, DNS, Murmuring, Network, Security, Service|Tagged , , , , , , , , , , |Leave a comment

Amazon Route 53 將會加緊支援 DNS CAA

看到 Amazon Route 53 要支援 DNS CAA 的消息:「Announcement: Announcement: CAA Record Support Coming Soon」。 裡面有提到 CA/Browser Forum 的決議,要求各瀏覽器支援 DNS CAA: On March 8, 2017, the Certification Authority and Browser Forum (CA/Browser Forum) mandated that by September 8, 2017, CA’s are … Continue reading

Posted in AWS, Cloud, Computer, DNS, Murmuring, Network, Security|Tagged , , , , , , , , , , , , , |Leave a comment

Google Chrome 對 WoSign 與 StartCom 的白名單要完全移除了

在 Twitter 上看到的: Chrome will fully distrust WoSign and StartCom in Chrome 61; beta in July, stable in September. https://t.co/5fnda6aUQw — Ivan Ristic (@ivanristic) July 7, 2017 對 WoSign 與 StartCom 的移除會發生在 61 版,而依照「Final removal of trust in WoSign and … Continue reading

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Security, Service, Software, WWW|Tagged , , , , , , , , , , , |1 Comment

Let's Encrypt 決定要規劃 Wildcard SSL Certificate 了

Let's Encrypt 把時間表喊出來了,預定在 2018 年年初開放使用:「Wildcard Certificates Coming January 2018」。 Wildcard SSL Certificate 會需要走新的 ACME v2 協定認證: Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via … Continue reading

Posted in Computer, Murmuring, Network, Privacy, Security, Service|Tagged , , , , , , , , , , , , |Leave a comment

IE 與 Edge 推出更新,阻擋 SHA-1 憑證

微軟這幾天推出更新,IE 與 Edge 將不會接受 SHA-1 憑證:「Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge」。微軟的公告則是在「Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11」這邊。 根憑證不受影響 (所以企業自己產生的 Root CA 也不受影響): Beginning May 9, 2017, Microsoft released updates … Continue reading

Posted in Browser, Computer, IE, Murmuring, Network, Security, Software, WWW|Tagged , , , , , , , , , , , , , , |Leave a comment

Netflix 的 BetterTLS,推廣 CA 的 Name Constraints

Netflix 因為想用 Name Constraints,所以決定自己跳出來推廣了:「BetterTLS - A Name Constraints test suite for HTTPS clients」。 就是在 CA 上可以綁定條件,只允許哪些 domain 可以被發放: 網站在「BetterTLS: Name Constraints」這邊可以看。

Posted in Computer, Murmuring, Network, Security, WWW|Tagged , , , , , , , , , , , , , , , |Leave a comment