With an apparent move to having a wide variety of CA vendors / leaf certs / etc, won't that make it harder for people to recognize when, for instance, a government forces a CA to issue valid certs for domains like gmail.com and intercepts what they presumed were private communications?
I think it will be completely safe. Private key's are not something that a CA has or ever should have possession of so unless Google themselves provide their private key's willingly to government's all information remains private.
It is about time that Google moved to 2048 bit Roots and Keys. The continued use of the archaic Equifax Root signed hierarchy was a poor example to businesses and Enterprises on how to use SSL certificates to ensure the integrity of private and sensitive data and the legitimacy of the supposedly secured URL
SSL certificates are not used to protect Google themselves but the Public that interacts with Google, with the complete and unequivocal expectation that their Private and Sensitive data will remain just that.
Our core business principles are based on this message and this is the guidance that itsolutionspeople.com provide to its customers.
Even with the expansion to 2048 bit keys, if the entropy generating the primes P and Q used for the encryption is too low, there are still issues. See the great research done by the University of Michigan about "minding your Ps and Qs" - one start point here - https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs/
So Google...do you have sufficient entropy? That's the real question. 1024 bit keys would theoretically have enough primes that there would never be an issue of duplicate keys, but poor random number generation and insufficient entropy led to the Michigan folks compromising about a half a percent of public keys. That is vastly more than predicted...
Multi-domain SSL certificates refer to a specific type of SSL certificate that offer security to multiple domain and hostnames that exist within the same domain. Multi-domain certificates are occasionally referred to as unified communications certificate (UCC), multi-SAN or UC certificate. This certificate is perfect for Exchange Server 2010, Microsoft Live Communications Software, and Microsoft Exchange Server 2007.
Follow
10 則留言 :
With an apparent move to having a wide variety of CA vendors / leaf certs / etc, won't that make it harder for people to recognize when, for instance, a government forces a CA to issue valid certs for domains like gmail.com and intercepts what they presumed were private communications?
... and certainly you should use sha-256 instead of sha-1 in your certificates
I think it will be completely safe. Private key's are not something that a CA has or ever should have possession of so unless Google themselves provide their private key's willingly to government's all information remains private.
It is about time that Google moved to 2048 bit Roots and Keys. The continued use of the archaic Equifax Root signed hierarchy was a poor example to businesses and Enterprises on how to use SSL certificates to ensure the integrity of private and sensitive data and the legitimacy of the supposedly secured URL
SSL certificates are not used to protect Google themselves but the Public that interacts with Google, with the complete and unequivocal expectation that their Private and Sensitive data will remain just that.
Our core business principles are based on this message and this is the guidance that itsolutionspeople.com provide to its customers.
Is there a list of SSL compliant vendors out there?
To answer April Joy;
Symantec, GeoTrust, Thawte, Trustwave
http://goo.gl/RKaaVE
Even with the expansion to 2048 bit keys, if the entropy generating the primes P and Q used for the encryption is too low, there are still issues. See the great research done by the University of Michigan about "minding your Ps and Qs" - one start point here - https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs/
So Google...do you have sufficient entropy? That's the real question. 1024 bit keys would theoretically have enough primes that there would never be an issue of duplicate keys, but poor random number generation and insufficient entropy led to the Michigan folks compromising about a half a percent of public keys. That is vastly more than predicted...
When can we expect to see updated Google applications that support these recommendations?
At this time, Google Drive's PC application does not support SNI and performs some degree of certificate pinning for transfers.
Multi-domain SSL certificates refer to a specific type of SSL certificate that offer security to multiple domain and hostnames that exist within the same domain. Multi-domain certificates are occasionally referred to as unified communications certificate (UCC), multi-SAN or UC certificate. This certificate is perfect for Exchange Server 2010, Microsoft Live Communications Software, and Microsoft Exchange Server 2007.
We all know what's wrong and don't care, how do we get a new certificate from Google?
張貼留言