News 11-14-2014

This Week in SSL – The NY Times and HTTPS, PayPal disabling SSLv3, and IE Considering Public-Key Pinning

Meggie Woodfield

Here is our latest news roundup of articles about network and SSL security.

In a blog post this week, Rajiv Pant (CTO of the NY Times) co-authored a blog post about the benefits and challenges of HTTPS.

Pant's HTTPS benefits include better security, privacy, and improved SEO rankings. Pant also cites The Freedom of the Press Foundation's that showed only three news sites have HTTPS on by default and urged more news sites to move to HTTPS. Pant's HTTPS challenges revolve around supporting 3rd party content, specifically advertisements, and the potential hurdles while implementing HTTPS.

Pant ends with what he says is a "call to action," urging news sites and other sites online to enable HTTPS by default.

PayPal has announced that they will disable support for SSL 3.0 before the holiday shopping season. In his blog post, PayPal CTO James Barrese wrote:

“PayPal will be disabling support for SSL v3 on December 3, 2014. Any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before this date to avoid an interruption in their ability to accept payments with PayPal.”

This move is in reaction to the in the SSL 3.0 protocol that was announced last month. Barrese also stated in the blog post that PayPal recognizes this move will be challenging for some of their merchant customers, but that they have extended support as long as possible without comprimising their customer's information.

In October of this year, Google security engineers submitted an Internet-Draft to the IETF that outlined public-key pinning as an extension to HTTP. This extension would protect users against Man-in-the-Middle (MITM) attacks that rely on forged certificates.

Google Chrome already supports public-key pinning and . Now it looks like adding public-key pinning to Internet Explorer.

Public-key pinning helps prevent MITM attacks by binding a set of public keys issued by a Certificate Authority to a specific domain. When users visit a site that is pinned, the lock icon will appear as it normally would. However, if a user visits a site that has a root certificate that has been pinned and the certificate for that site does not match the pinned CA’s root certificate, the browser will not allow the connection.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager