There's been a lot of discussion about OCSP again recently after the Apple incident caused by Big Sur. I've written up some details about what happened and thoughts for what we could/should do about it: scotthelme.co.uk/deja-vu-macos-…
Apple published a support article to address the concerns raised, here are the details and my update based on their comments: scotthelme.co.uk/deja-vu-macos-…
Apple will introduce "A new encrypted protocol for Developer ID certificate revocation checks" but are we talking OCSP over HTTPS or something else?
Apple have promised "Strong protections against server failure" so they're likely going to bolster the OCSP service with a lot more cloud.
Users won't have to block OCSP requests for developer certificates and can instead use "A new preference for users to opt out of these security protections".

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Scott Helme

Scott Helme Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Scott_Helme

16 Nov
@BritishGasHelp @srobertson92 A few things to help you out from your friendly British security researcher:

1) Shorter passwords are easier to remember which is what makes them weak and easy to guess. This means it's more likely someone else will have access to it, not less likely.
@BritishGasHelp @srobertson92 2) Allowing someone to have an easy to remember 8-10 character password doesn't mean you need to prevent someone else from having an ultra-secure 64 character password. It's possible for both of these things to coexist, and they should.
@BritishGasHelp @srobertson92 3) Weak passwords do not protect customer data, they do the opposite and put customer data at risk. We should be encouraging stronger passwords and the use of password managers.
Read 7 tweets
2 Sep
I'm not sure what's more worrying, that CAs have continued to issue certificates for >398 days or that I'm not surprised that it's happened... 🤷‍♂️
Imagine buying a new certificate that looks like this!
NET::ERR_CERT_VALIDITY_TOO_LONG
Here's the certificate, they definitely missed the deadline:
Validity
Not Before: Sep 1 00:16:16 2020 GMT
Not After : Sep 1 00:16:16 2022 GMT

crt.sh/?id=3318010380
Read 9 tweets
16 Apr
The @ubnt fairy came and I couldn’t be more excited! 😝
So here we go with the build! First up was the rack, I wanted one with wheels because of where it’s going (space restricted and can’t go on the wall). Couldn’t see one I like with wheels so I gave mine wheels!
Next was unboxing and damn Ubiquiti know how to package stuff. It’s like opening Apple products but better. I mean just look at how they package *screws*!!
Read 24 tweets
3 Mar
Let's Encrypt identified a bug in their CAA checking and disabled issuance for 2h 12m whilst they patched: community.letsencrypt.org/t/2020-02-29-c…
As a result of this, Let's Encrypt will be revoking quite a large number of certificates: community.letsencrypt.org/t/revoking-cer…
The total number is 3,048,289 and you can download the list of serial numbers that will be affected here: letsencrypt.org/caaproblem/
Read 30 tweets
16 Aug 19
As entertaining as the whole EV thing is in some respects, I do sit back and question my own knowledge and views in the background too. A very common thing that keeps coming up in defence of EV, is phishing. I did some reading and here are a few interesting things.
Every piece of data I've looked at so far, including PhishLabs and the APWG, show that phishing is on the rise and it's a massive problem. I believe and hope that everyone will agree with that, but there are interesting stats around phishing on HTTPS.
Look at this Netcraft data on certificate issuance to phishing sites, that's quite a remarkable trend and indicates a shift of phishing sites moving from HTTP to HTTPS.
source: news.netcraft.com/archives/2017/…
Read 19 tweets
30 Jul 19
*throws self off roof*
sectigo.com/blog/new-resea…
Enough with the specious reasoning already 🤦‍♂️🤦‍♂️🤦‍♂️
100% depends on the user. Also advises users should trust sites with EV. You should read the EV SSL Guidelines: cabforum.org/wp-content/upl…
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!