Entrust SSL certificates based on SHA-1 standard, not issued via automated process
Entrust Certificate Services customers can be assured that all Entrust SSL certificates are based on SHA-1 - a hash algorithm developed by the National Institute for Standards and Technology (NIST) - and are not susceptible to this security concern. As a technology leader, Entrust is proactive in its approach to evolving security practices and is very involved in the formulation of new standards, including collaboration with such organizations as the CA/Browser Forum.
"The science of cryptography is rife with subtleties; seemingly harmless choices can sometimes have unexpected and dangerous consequences," said Entrust Director of Advanced Security Dr.
To discuss these latest developments, Dr.
Representing the highest level of SSL security, Extended Validated (EV) SSL certificates remain the only certificates that are issued to a set of industry-accepted guidelines. These guidelines not only consider verification requirements, but also address technical security requirements such as minimum key sizes, crypto algorithms and certificate extensions. As there are no guidelines for non-EV certificates, Entrust uses the current EV guidelines as a reference standard and has adopted many of its requirements in the issuance of other Entrust SSL certificate types.
"While the use of the MD5 hash standard is not in common use, these findings confirm that technology leaders need to constantly evolve and advance online security standards," said Entrust Senior Vice President
Additional concerns regarding SSL digital certificate verification were discovered last week when a technology blogger reported how he was able to obtain an illegitimate SSL digital certificate by taking advantage of an automated process that is popular with some certification authorities (CAs). The loophole was created when the person was able to fraudulently obtain digital certificates by exploiting the Domain Verification (DV) process.
Instead of involving human specialists in vetting each and every request for a certificate, the DV technique uses an automated process. While an automated process does reduce SSL vendor cost, it is subject to vulnerabilities that make it easier to obtain illegitimate SSL certificates.
In the interest of maintaining trust, Entrust does not issue domain-only verified SSL certificates. Each Entrust SSL digital certificate is issued only after a thorough, personalized organizational vetting process.
Extended Validation refers to rigorous, industry-standard validation methods used by certification authorities before issuing an EV SSL certificate. Conceived in response to the growing threats of phishing and man-in-the-middle attacks, Extended Validation SSL certificates were created by the CA/Browser Forum. EV SSL certificates are issued to Web sites only after rigorous validation of their identity. Current-generation Web browsers -- Microsoft Internet Explorer 7, Mozilla's Firefox 3, Opera 9.5 and Google Chrome, for example -- reflect this higher level of identity assurance with prominent and distinct trust indicators.
Entrust Extended Validation and Advantage SSL digital certificates are available for purchase through Entrust's Certificate Services Web site at www.entrust.net.
About Entrust
Entrust (Nasdaq: ENTU) secures digital identities and information for consumers, enterprises and governments in more than 2,000 organizations spanning 60 countries. Leveraging a layered security approach to address growing risks, Entrust solutions help secure the most common digital identity and information protection pain points in an organization. These include SSL, authentication, fraud detection, shared data protection and e-mail security. For information, call 888-690-2424, e-mail entrust@entrust.com or visit www.entrust.com.
Entrust is a registered trademark of Entrust, Inc. in the
SOURCE Entrust, Inc.