Home » Posts tagged "ca" (Page 3)

Let's Encrypt 決定要規劃 Wildcard SSL Certificate 了

Let's Encrypt 把時間表喊出來了,預定在 2018 年年初開放使用:「Wildcard Certificates Coming January 2018」。

Wildcard SSL Certificate 會需要走新的 ACME v2 協定認證:

Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time.

跟前陣子提到的「ACME v2 API Endpoint Coming January 2018」是相同的時間。

這好讚...

IE 與 Edge 推出更新,阻擋 SHA-1 憑證

微軟這幾天推出更新,IEEdge 將不會接受 SHA-1 憑證:「Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge」。微軟的公告則是在「Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11」這邊。

根憑證不受影響 (所以企業自己產生的 Root CA 也不受影響):

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.

未來 CA 將會強制要求檢查 DNS CAA record

CA/Browser 通過提案,要求以後 CA 單位都要檢查 DNS CAA record 才能發放憑證 (RFC 6844 的「DNS Certification Authority Authorization (CAA) Resource Record」):「Ballot 187 - Make CAA Checking Mandatory」。

Certificate Authority Authorization (CAA) is a DNS Resource Record defined in RFC 6844 – https://datatracker.ietf.org/doc/rfc6844/ , published in January 2013. It allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.

透過 DNS CAA 資料,你可以限制只有誰可以發你的憑證,直接用白名單做控管。

未來 SSL Certificate 的最大有效時間將降到 825 天

CA/Browser Forum 通過了這項提案,將 SSL Certificate 的最大有效時間降到 825 天 (大約 27 個月):「Ballot 193 - 825-day Certificate Lifetimes」。

所以將會從本來的 39 個月降到 27 個月左右,所以現在買得到最長的 certificate 會有 3 年,以後會有 2 年:

Recent Ballot 185 demonstrated a consensus among Forum members to reduce the maximum lifetime for DV and OV certificates from 39 months to 825 days (roughly 27 months). This ballot reflects that consensus, and also reduces the maximum period for reuse of vetting data for DV and OV certificates from 39 months to 27 months.

Firefox 下一個版本 (52) 將預設關閉 SHA-1 支援

順著 SHA-1 正式被打穿,Mozilla 也正式宣佈從下一個版本的 Firefox 將完全關閉 SHA-1 支援 (看敘述應該還是可以透過 about:config 開):「The end of SHA-1 on the Public Web」。

As announced last fall, we’ve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow, this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.

大家都開始有動作了...

dehydrated 0.4.0 的新要求

dehydrated 出 0.4.0 了,剛剛把 PPA for dehydrated 更新了,已經安裝過的使用者可以直接升級使用。

這次主要的改變在於建立帳號時必須先同意 Let's Encrypt 的使用條款:

dehydrated now asks you to read and accept the CAs terms of service before creating an account

這邊可以用 dehydrated --register --accept-terms 表示同意並且建立帳號。

微軟預定在 2017 年的西洋情人節淘汰 SHA-1 certificate

經過多次改動後,微軟這次宣佈 SHA-1 certificate 將在明年淘汰:「SHA-1 deprecation countdown」。

影響的範圍包括 Internet Explorer 11Microsoft Edge,在 2017 年 2 月 14 日之後不信任 SHA-1 certificate:

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning.

與其他家類似,還是提供了管道讓企業內部建立的 SHA-1 certificate 可以用:

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Google Chrome 將在 2017 的 56 版停止支援 SHA-1 SSL Certificate

在明年一月的 Google Chrome 56 將會停止支援 SHA-1 SSL Certificate:「SHA-1 Certificates in Chrome」,唯一的例外是自己建立的 CA,主要是給企業內部用的:

Starting with Chrome 54 we provide the EnableSha1ForLocalAnchors policy that allows certificates which chain to a locally installed trust anchor to be used after support has otherwise been removed from Chrome.

但安全性的標示不會是綠色的鎖頭:

Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as “neutral, lacking security”.

使用 SHA-1 程式碼的完全移除預定在 2019 年 (大約兩年多):

Since this policy is intended only to allow additional time to complete the migration away from SHA-1, it will eventually be removed in the first Chrome release after January 1st 2019.

但如果對 SHA-1 攻擊有重大突破的話也會考慮提前:

We may also remove support before 2019 if there is a serious cryptographic break of SHA-1.

Google Chrome 也宣佈不信任 WoSign + StartCom 的計畫

Google Chrome 也公開了對 WoSign + StartCom 的計畫:「Distrusting WoSign and StartCom Certificates」。

由於大家遇到的技術問題都一樣 (之前發出的量太大,無法窮舉表列出來),所以處理的方法也類似於 Mozilla 的作法,只信任 2016/10/21 前發出的 certificate:

Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted.

Google Chrome 目前是 54,所以這表示會在兩個版本後生效。另外特別提出來必須有 CT flag (Certificate Transparency),或是在白名單的網站:

Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.

而因為安全考量,會有某些 certificate 是沒救的情況:(就上面的描述,看起來是指不在白名單內又沒標 CT flag 的)

Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance.

話說 www.kernel.org 從本來的 StartCom 換掉了 (之前都要打 badidea 進去看),剛剛看是 2016/10/11 簽的憑證...

這樣除了 Microsoft 還是沒動作外,其他比較大的瀏覽器都到齊了...

Archives