dralnux.com
In recent days, several major tech companies have formally disavowed and discontinued use of a Chinese security certificate provider, WoSign.
In recent days, several major tech companies have formally disavowed and discontinued use of a Chinese security certificate provider, WoSign.
The abandonments began when Mozilla announced that WoSign was not following best practices in issuing its certificates.
The primary concern lies in the fact that WoSign was back-dating certain website certificates to circumvent checks that prevent expired certs from working.
After Mozilla’s announcement, Apple quickly also said that they would distrust and ban all WoSign certificates.
Not long after, Google followed by announcing the search giant would also distrust WoSign and a related firm beginning immediately.
The result of all this action is that the web will be a slightly safer place.
The result of all this action is that the web will be a slightly safer place.
Invalid security certificates are no joke; it’s essential that all parties involved can trust the validity of a website’s security.
What is a certificate, though?
Perhaps while browsing websites in Safari on macOS, you’ve noticed that many sites default to HTTPS instead of HTTP.
You may already be aware that this is a sign that SSL security is active, encrypting the data exchanged between your computer and the web server.
However, to work properly, SSL requires security certificates.
Understanding what these are is essential for safe browsing.
Just enabling SSL doesn’t automatically mean you can trust a website.
Just enabling SSL doesn’t automatically mean you can trust a website.
That’s why sites using encryption turn to third party Certificate Authorities — like WoSign — to verify their identity.
This third-party verification is known as a certificate.
Essentially, this tells your computer that “Yes, this person is who they say they are,” proving you aren’t currently at risk of a “man in the middle” attack.
Apple, Google, and others keep a database of trustworthy certificate providers.
If you visit a website with an invalid certificate or no certificate at all over HTTPS, your browser will usually warn you.
Aucun commentaire:
Enregistrer un commentaire