Tag Archive for: Certificate

Companies Face Issues as Let’s Encrypt Root Certificate Expires

/in


Many websites experienced issues this week following the expiration of a root certificate provided by Let’s Encrypt, a free and open certificate authority (CA) used by millions of sites.

Let’s Encrypt, which is part of the nonprofit Internet Security Research Group (ISRG), is a massive provider of HTTPS certificates: Last February, it issued its billionth certificate and announced it was serving nearly 192 million websites.

The expiry of IdenTrust DST Root CA X3 happened on Sept. 30; after this, computers, devices, and clients like Web browsers will no longer trust certificates that have been issued by this CA.

“If the root certificate that your certificate chain anchors on is expired then there’s a good chance it’s going to cause things to fail,” writes Scott Helme, founder of Security Header, in a Sept. 20 blog post warning of the issue. This happened last May, he added, when the AddTrust External CA Root expired and caused problems for Roku, Stripe, and other organizations.

“Given the relative size difference between Let’s Encrypt and AddTrust, I have a feeling that the IdenTrust root expiry has the potential to cause more problems,” Helme says.

In most circumstances, a root CA expiration wouldn’t generate a lot of conversation because the transition from an old root certificate to a new one is “completely transparent,” Helme writes. The reason this expiry is causing problems is because clients aren’t regularly updated and if that’s the case, the new CA replacing the old one isn’t downloaded onto the device.

In his blog post, he lists clients that will break after the IdenTrust DST Root CA X3 expires. These include versions of macOS older than 10.12.1, Windows versions older than XP Service Pack 3, iOS versions older than iOS 10, OpenSSL versions less than and including 1.0.2, and Firefox versions older than 50.

Helme said to ZDNet that he had confirmed organizations including Palo Alto, Bluecoat, Cisco Umbrella, Google Cloud Monitoring, Auth0, Shopify, QuickBooks, and Fortinet were among the organizations experiencing issues following the expiration. In a tweet, Let’s Encrypt advises those experiencing errors to check out the fixes in its community forum. It also notes…

Source…

Meterpreter Certificate Validation – Metasploit Minute [Cyber Security Education]

/in



Security vs Privacy! What's The Difference? | Go Incognito 1.3

/in



Report: Active Directory Certificate Services a big security blindspot on enterprise networks

/in


As the core of Windows enterprise networks, Active Directory, the service that handles user and computer authentication and authorization, has been well studied and probed by security researchers for decades. Its public key infrastructure (PKI) component, however, has not received the same level of scrutiny and, according to a team of researchers, deployments are rife with serious configuration mistakes that can lead to account and domain-level privilege escalation and compromise.

“AD CS [Active Directory Certificate Services] is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more,” researchers Will Schroeder and Lee Christensen from security firm SpecterOps said in a new report. “While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous.”

How AD CS works

AD CS is used to set up a private enterprise certificate authority (CA), which is then used to issue certificates that tie a user or machine identity or account to a public-private key pair, allowing that key pair to be used for different operations, such as file encryption, signing files or documents and authentication. AD CS administrators define certificate templates that serve as blueprints to how certificates are issued, to whom, for what operations, for how long and what cryptographic settings they have.

In other words, like in HTTPS, a certificate that is signed by the CA is proof that the AD infrastructure will trust a particular public-private key pair. So, to obtain a certificate from AD CS, an authenticated user or computer, generate a key pair and send the public key along with various desired settings to the CA as part of a certificate signing request (CSR). The CSR will indicate the user identity in the form of a domain account in the subject field, the template to be used to generate the certificate, and the type of actions for which the certificate is desired, which is defined in a field…

Source…