Ask the Experts

Ask the Experts

PKI and digital certificates

• How to use a public key and private key in digital signatures

  Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures to manage electronic documents.  Continue Reading

• Can PDF digital signatures be trusted?

  Digital signatures on PDF documents don't necessarily guarantee their contents are valid, as new research shows viewer implementations don't always detect incomplete signatures.  Continue Reading

• How concerned should I be about a padding oracle attack?

  Padding oracle attacks have long been well-known and well-understood. Find out how they work and why using modern encryption protocols can reduce the risks.  Continue Reading

• Will DNS Flag Day affect you? Infoblox's Cricket Liu explains

  What is DNS Flag Day? That's when old and broken DNS servers will stop working, improving DNS performance and safety for all. Infoblox's chief DNS architect Cricket Liu explains.  Continue Reading

• Public key pinning: Why is Google switching to a new approach?

  After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci explains the switch.  Continue Reading

• PGP keys: Can accidental exposures be mitigated?

  The accidental publication of an Adobe private key could have put the company in jeopardy. Matt Pascucci explains how it happened and how to better protect PGP keys.  Continue Reading

• Running a private certificate authority: What are the risks?

  Running a private certificate authority can pose significant risks and challenges to meet baseline requirements. Michael Cobb explores what enterprises should know.  Continue Reading

• WoSign certificates: What happens when Google Chrome removes trust?

  Google Chrome has started removing trust in certificates issued by WoSign. Matthew Pascucci explains this decision and what it means for companies using WoSign certificates.  Continue Reading

• Ticketbleed flaw: How can SSL session identities be protected?

  The Ticketbleed flaw in F5 Networks' BIG-IP appliances leaks uninitialized memory and SSL session identities. Expert Michael Cobb explains how enterprises can mitigate it.  Continue Reading

• SHA-1 certificates: How will Mozilla's deprecation affect enterprises?

  Mozilla browser users will encounter 'untrusted connection' errors if they use SHA-1 signed certificates. Expert Michael Cobb explains why, and what enterprises can do.  Continue Reading

• HTTP public key pinning: Is the Firefox browser insecure without it?

  HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael Cobb explains how HPKP works.  Continue Reading

• How can PGP short key IDs be protected from collision attacks?

  A well-known PGP short key ID flaw has been discovered to be the cause of collision attacks on Linux developers. Expert Michael Cobb explains the flaw with short key IDs.  Continue Reading

• How can users protect mobile devices from SandJacking attacks?

  Attackers can use the SandJacking attack to access sandboxed data on iOS devices. Expert Nick Lewis explains how to protect your enterprise from this attack.  Continue Reading

• Internal PKI: What are the benefits of enterprises moving it in-house?

  Many large enterprises have their own internal public key infrastructure. Expert Michael Cobb explains the considerations organizations should make before undertaking the task.  Continue Reading

• How does SandJacking let attackers load malware on iOS devices?

  SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the attack works.  Continue Reading

• How can BGP hijacking be detected and prevented?

  What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these risks.  Continue Reading

• Is eDellRoot certificate vulnerability an isolated problem?

  Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael Cobb explains the potential threats.  Continue Reading

• Can a subscription ease SSL certificate management?

  SSL subscription services are emerging to help enterprises handle the daunting task of SSL certificate management. Expert Michael Cobb discusses the benefits of such a service.  Continue Reading

• How can mobile certificate security risks be reduced?

  According to recent research, mobile certificate usage is riddled with security issues. Expert Michael Cobb explains how to best control and secure mobile certificates in the enterprise.  Continue Reading

• How can we secure enterprise email at home and abroad?

  Emails often contain sensitive information, yet the proper measures are not always taken to secure them. Learn how to keep corporate email safe both at home and in foreign countries.  Continue Reading

• Will Certificate Transparency solve certificate authority trust issues?

  Explore how Certificate Transparency can help resolve certificate and certificate authority issues plaguing enterprises today.  Continue Reading

• How can a cross-certificate make Android devices crash?

  Cross-signed certificates are causing Android devices to crash, and it's not the first time there's been a problem. Learn more about this issue and its potential security risks.  Continue Reading

• How does public key pinning improve website security?

  Certificate authority confidence is waning, but the emergence of public key pinning can help keep websites secure. Expert Michael Cobb explains how.  Continue Reading

• How can forged certificates from trusted vendors be stopped?

  Unauthorized certificates from trusted vendors have become a big Internet security concern. Expert Michael Cobb discusses how to stay protected against this threat.  Continue Reading

• How to detect fraudulent certificates that look real

  Malware using seemingly real digital certificates is becoming more prevalent. Expert Nick Lewis discusses how to detect fraudulent certificates.  Continue Reading

• How do different browsers handle SSL certificate revocation?

  Application security expert Michael Cobb explores how different Web browsers handle SSL certificate revocation.  Continue Reading

• Using a digital signature, electronic signature and digital certificate

  While they may seem similar, a digital signature, electronic signature and digital certificate all have unique functions. In this IAM expert response from Randall Gamby, learn the differences and how each is used.  Continue Reading

• The difference between a digital signature and digital certificate

  A digital signature and a digital certificate, while both security measures, are different in the ways they are implemented and what they are implemented for. In this expert response, Randall Gamby explains the difference.  Continue Reading

• Digital signature implementation: How to verify email addresses

  When implementing digital signatures in Outlook, learn what pitfalls to avoid and how to verify the email addresses and digital signatures of the senders.  Continue Reading

• Is it possible to crack the public key encryption algorithm?

  Is it possible to create a PKI encryption key that is unbreakable? IAM expert Randall Gamby weighs in.  Continue Reading

• PKI vulnerabilities: How to update PKI with secure hash functions

  Learn how to prevent PKI vulnerabilities recently announced by Dan Kaminsky from being exploited at your enterprise with advice from IAM expert Randall Gamby.  Continue Reading

• How to encrypt passwords using network security certificates

  Learn the most secure way to transfer passwords to applications using network security, identity management, and application security certificates.  Continue Reading

• Can any firm or organization get a digital signature certificate?

  Learn how a firm can obtain a digital signature certificate. Also, learn about several certificate authorities (CA) that manage them.  Continue Reading

• How to obtain a digital certificate for a server

  In order to use SSL-protected communications, such as exchanging Web traffic using the HTTPS protocol, an enterprise must first purchase and then install a digital certificate on its server. In this expert Q&A, Mike Chapple explains how to do just ...  Continue Reading

• Choosing from the top PKI products and vendors

  In this expert response, security pro Joel Dubin discusses the best ways to compare PKI products and vendors for enterprise implementation of PKI.  Continue Reading

• Can the symmetric encryption algorithm for S/MIME messages be changed?

  Encryption algorithm requirements ensure a base level of interoperability among all S/MIME implementations. Email clients, however, can add additional algorithms, provided they correctly identify which algorithms a particular message uses. Expert ...  Continue Reading

• Creating a personal digital certificate

  In this SearchSecurity.com expert Q&A, identity management and access control pro Joel Dubin discusses the pros and cons associated with creating a personal digital certificate.  Continue Reading

• What are the alternatives to RC4 and symmetric cryptography systems?

  In this SearchSecurity.com Q&A, network security expert Mike Chapple explains how RC4 encryption stacks up against public key cryptography.  Continue Reading

• Can a certificate authority be trusted?

  In this expert Q&A, Ed Skoudis reveals what research needs to be done before importing a certificate into your browser.  Continue Reading

• Is a digital watermark a legitimate authentication factor?

  Identity management and access control expert Joel Dubin explores how reliable a digital watermark is when acting as a authentication factor.  Continue Reading

• Choosing the right public key algorithm: RSA vs. Diffie-Hellman

  In this SearchSecurity.com expert response, Joel Dubin explores two different public key encryption algorithms and discusses how to make the right choice for your information security needs.  Continue Reading

• When choosing a digital certificate, how important is the expiration period?

  In this expert Q&A, application security pro Michael Cobb helps you plan your digital certificate policy. Cobb emphasizes the importance of keeping your Web server certificates up-to-date.  Continue Reading

• What tools are available to verify a patch's validity?

  Ever wonder about the source and integrity of a downloaded patch? In our expert Q&A, platform security expert, Michael Cobb, tells users about various management programs that can verify your patches.  Continue Reading

• The strengths and weaknesses of PKI and PGP systems

  PKI and OpenPGP can enhance the security of your data, but these services differ in how they manage digital certificates. SearchSecurity.com expert Michael Cobb explains the distinct strengths and weaknesses of each program.  Continue Reading

• Which public key algorithm is used for encrypting emails?

  Although PGP and S/MME both use public key encryption, Expert Joel Dubin explains PGP and S/MME's distinct approaches to e-mail coding.  Continue Reading

• The pros and cons of PKI and two-factor authentication methods

  There are myriad authentication methods to choose from today; learn the pros and cons of two such methods, Public Key Infrastructures and two-factor authentication systems, and how each system helps validate user identities, in this identity and ...  Continue Reading

• Should an organization design and use their own Certification Authority?

  While using a unique Certification Authority may improve an organization's defense-in-depth strategy, using a commercial CA might save you time and money in the long run. Weigh the pros and cons of each, in this Ask the Expert Q&A.  Continue Reading

• How PKI systems work

  Learn how PKI systems work and whether there are any potential user problems enterprises should be aware of.  Continue Reading

• Web application variable manipulation

  Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation.  Continue Reading

• How Kerberos, PKI and IPsec interoperate

  In this Ask the Expert Q&A, our identity and access management expert explains how these three unrelated systems interoperate to authenticate and manage digital certificates.  Continue Reading

• How IPsec and SSL/TLS use symmetric and asymmetric encryption

  In this Ask the Expert Q&A, our identity and access management expert explains how IPsec and SSL/TLS use these two authentication methods to establish secure Web sessions.  Continue Reading

• Digital certificates and webmail

  In this Ask the expert Q&A, our application security expert analyzes whether or not you can use digital IDs and certificates with webmail. He also discusses how and where to secure these devices to ensure your e-mail system is secure.  Continue Reading

• When to use PKI

   Continue Reading

• Generic PKI CA threat model

   Continue Reading

• PKI breaches

   Continue Reading